diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2017-02-07 02:08:39 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2017-02-07 02:08:39 +0000 |
| commit | 8d9af885ed2035da2738bf51ed38e738a4c442de (patch) | |
| tree | a20f0d6db51989dace572abe08a2a13aadb29679 /lib/libssl | |
| parent | a3976944fcdd3b767a5c1e0126e6bccb223462ff (diff) | |
Change SSLerror() back to taking two args, with the first one being an SSL *.
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible
Diffstat (limited to 'lib/libssl')
| -rw-r--r-- | lib/libssl/bio_ssl.c | 4 | ||||
| -rw-r--r-- | lib/libssl/d1_both.c | 18 | ||||
| -rw-r--r-- | lib/libssl/d1_clnt.c | 8 | ||||
| -rw-r--r-- | lib/libssl/d1_lib.c | 4 | ||||
| -rw-r--r-- | lib/libssl/d1_pkt.c | 42 | ||||
| -rw-r--r-- | lib/libssl/d1_srtp.c | 32 | ||||
| -rw-r--r-- | lib/libssl/d1_srvr.c | 12 | ||||
| -rw-r--r-- | lib/libssl/s3_lib.c | 48 | ||||
| -rw-r--r-- | lib/libssl/ssl_asn1.c | 4 | ||||
| -rw-r--r-- | lib/libssl/ssl_both.c | 26 | ||||
| -rw-r--r-- | lib/libssl/ssl_cert.c | 32 | ||||
| -rw-r--r-- | lib/libssl/ssl_ciph.c | 12 | ||||
| -rw-r--r-- | lib/libssl/ssl_clnt.c | 262 | ||||
| -rw-r--r-- | lib/libssl/ssl_err.c | 269 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 98 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 7 | ||||
| -rw-r--r-- | lib/libssl/ssl_packet.c | 18 | ||||
| -rw-r--r-- | lib/libssl/ssl_pkt.c | 74 | ||||
| -rw-r--r-- | lib/libssl/ssl_rsa.c | 104 | ||||
| -rw-r--r-- | lib/libssl/ssl_sess.c | 30 | ||||
| -rw-r--r-- | lib/libssl/ssl_srvr.c | 212 | ||||
| -rw-r--r-- | lib/libssl/ssl_txt.c | 4 | ||||
| -rw-r--r-- | lib/libssl/t1_enc.c | 44 | ||||
| -rw-r--r-- | lib/libssl/t1_lib.c | 26 | ||||
| -rw-r--r-- | lib/libssl/t1_reneg.c | 24 |
25 files changed, 841 insertions, 573 deletions
diff --git a/lib/libssl/bio_ssl.c b/lib/libssl/bio_ssl.c index ababa8cf170..344ca21786a 100644 --- a/lib/libssl/bio_ssl.c +++ b/lib/libssl/bio_ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_ssl.c,v 1.26 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: bio_ssl.c,v 1.27 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -110,7 +110,7 @@ ssl_new(BIO *bi) bs = calloc(1, sizeof(BIO_SSL)); if (bs == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (0); } bi->init = 0; diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index 0e4317653d1..9aba4b85f81 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.48 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: d1_both.c,v 1.49 2017/02/07 02:08:38 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -410,7 +410,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) S3I(s)->tmp.reuse_message = 0; if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_MESSAGE); + SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto f_err; } *ok = 1; @@ -475,12 +475,12 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) /* sanity checking */ if ((frag_off + frag_len) > msg_len) { - SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE); + SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE); return SSL_AD_ILLEGAL_PARAMETER; } if ((frag_off + frag_len) > (unsigned long)max) { - SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE); + SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE); return SSL_AD_ILLEGAL_PARAMETER; } @@ -492,7 +492,7 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) */ if (!BUF_MEM_grow_clean(s->internal->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(s, ERR_R_BUF_LIB); return SSL_AD_INTERNAL_ERROR; } @@ -506,7 +506,7 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) * They must be playing with us! BTW, failure to enforce * upper limit would open possibility for buffer overrun. */ - SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE); + SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE); return SSL_AD_ILLEGAL_PARAMETER; } @@ -799,7 +799,7 @@ again: /* parse the message fragment header */ dtls1_get_message_header(wire, &msg_hdr) == 0) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_MESSAGE); + SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto f_err; } @@ -841,7 +841,7 @@ again: else /* Incorrectly formated Hello request */ { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_MESSAGE); + SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto f_err; } } @@ -872,7 +872,7 @@ again: */ if (i != (int)frag_len) { al = SSL3_AD_ILLEGAL_PARAMETER; - SSLerror(SSL3_AD_ILLEGAL_PARAMETER); + SSLerror(s, SSL3_AD_ILLEGAL_PARAMETER); goto f_err; } diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c index 6e124c7a855..8e4c2586a30 100644 --- a/lib/libssl/d1_clnt.c +++ b/lib/libssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.73 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.74 2017/02/07 02:08:38 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -216,7 +216,7 @@ dtls1_connect(SSL *s) cb(s, SSL_CB_HANDSHAKE_START, 1); if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); ret = -1; goto end; } @@ -570,7 +570,7 @@ dtls1_connect(SSL *s) /* break; */ default: - SSLerror(SSL_R_UNKNOWN_STATE); + SSLerror(s, SSL_R_UNKNOWN_STATE); ret = -1; goto end; /* break; */ @@ -631,7 +631,7 @@ dtls1_get_hello_verify(SSL *s) goto truncated; if (ssl_version != s->version) { - SSLerror(SSL_R_WRONG_SSL_VERSION); + SSLerror(s, SSL_R_WRONG_SSL_VERSION); s->version = (s->version & 0xff00) | (ssl_version & 0xff); al = SSL_AD_PROTOCOL_VERSION; goto f_err; diff --git a/lib/libssl/d1_lib.c b/lib/libssl/d1_lib.c index bd78494e669..8092d56a4c8 100644 --- a/lib/libssl/d1_lib.c +++ b/lib/libssl/d1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_lib.c,v 1.40 2017/01/26 10:40:21 beck Exp $ */ +/* $OpenBSD: d1_lib.c,v 1.41 2017/02/07 02:08:38 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -406,7 +406,7 @@ dtls1_check_timeout_num(SSL *s) if (D1I(s)->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { /* fail the connection, enough alerts have been sent */ - SSLerror(SSL_R_READ_TIMEOUT_EXPIRED); + SSLerror(s, SSL_R_READ_TIMEOUT_EXPIRED); return -1; } diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c index 5e33a966dea..5fdd1768002 100644 --- a/lib/libssl/d1_pkt.c +++ b/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.61 2017/01/26 10:40:21 beck Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.62 2017/02/07 02:08:38 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -255,7 +255,7 @@ err: free(rdata->rbuf.buf); init_err: - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); free(rdata); pitem_free(item); return (-1); @@ -354,7 +354,7 @@ dtls1_process_record(SSL *s) /* check is not needed I believe */ if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { al = SSL_AD_RECORD_OVERFLOW; - SSLerror(SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); goto f_err; } @@ -396,7 +396,7 @@ dtls1_process_record(SSL *s) (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && orig_len < mac_size + 1)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_LENGTH_TOO_SHORT); + SSLerror(s, SSL_R_LENGTH_TOO_SHORT); goto f_err; } @@ -433,7 +433,7 @@ dtls1_process_record(SSL *s) if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { al = SSL_AD_RECORD_OVERFLOW; - SSLerror(SSL_R_DATA_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); goto f_err; } @@ -650,7 +650,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if ((type && type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } @@ -667,7 +667,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (i < 0) return (i); if (i == 0) { - SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return (-1); } } @@ -731,7 +731,7 @@ start: */ if (dtls1_buffer_record(s, &(D1I(s)->buffered_app_data), rr->seq_num) < 0) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return (-1); } rr->length = 0; @@ -754,7 +754,7 @@ start: if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && (s->enc_read_ctx == NULL)) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_APP_DATA_IN_HANDSHAKE); + SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); goto f_err; } @@ -817,7 +817,7 @@ start: /* Not certain if this is the right error handling */ al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_RECORD); + SSLerror(s, SSL_R_UNEXPECTED_RECORD); goto f_err; } @@ -862,7 +862,7 @@ start: (D1I(s)->handshake_fragment[2] != 0) || (D1I(s)->handshake_fragment[3] != 0)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_HELLO_REQUEST); + SSLerror(s, SSL_R_BAD_HELLO_REQUEST); goto err; } @@ -883,7 +883,7 @@ start: if (i < 0) return (i); if (i == 0) { - SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return (-1); } @@ -940,7 +940,7 @@ start: { s->internal->rwstate = SSL_NOTHING; S3I(s)->fatal_alert = alert_descr; - SSLerror(SSL_AD_REASON_OFFSET + alert_descr); + SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); ERR_asprintf_error_data("SSL alert number %d", alert_descr); s->internal->shutdown|=SSL_RECEIVED_SHUTDOWN; @@ -948,7 +948,7 @@ start: return (0); } else { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_UNKNOWN_ALERT_TYPE); + SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE); goto f_err; } @@ -974,7 +974,7 @@ start: if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { i = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_BAD_CHANGE_CIPHER_SPEC); + SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); goto err; } @@ -1038,7 +1038,7 @@ start: if (i < 0) return (i); if (i == 0) { - SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return (-1); } @@ -1068,7 +1068,7 @@ start: goto start; } al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_RECORD); + SSLerror(s, SSL_R_UNEXPECTED_RECORD); goto f_err; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: @@ -1077,7 +1077,7 @@ start: * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that * should not happen when type != rr->type */ al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto f_err; case SSL3_RT_APPLICATION_DATA: /* At this point, we were expecting handshake data, @@ -1099,7 +1099,7 @@ start: return (-1); } else { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_RECORD); + SSLerror(s, SSL_R_UNEXPECTED_RECORD); goto f_err; } } @@ -1122,13 +1122,13 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) if (i < 0) return (i); if (i == 0) { - SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } } if (len > SSL3_RT_MAX_PLAIN_LENGTH) { - SSLerror(SSL_R_DTLS_MESSAGE_TOO_BIG); + SSLerror(s, SSL_R_DTLS_MESSAGE_TOO_BIG); return -1; } diff --git a/lib/libssl/d1_srtp.c b/lib/libssl/d1_srtp.c index 82dc8bfdefd..26c14543fc9 100644 --- a/lib/libssl/d1_srtp.c +++ b/lib/libssl/d1_srtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srtp.c,v 1.20 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: d1_srtp.c,v 1.21 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -187,7 +187,7 @@ ssl_ctx_make_profiles(const char *profiles_string, SRTP_PROTECTION_PROFILE *p; if (!(profiles = sk_SRTP_PROTECTION_PROFILE_new_null())) { - SSLerror(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES); + SSLerrorx(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES); return 1; } @@ -198,7 +198,7 @@ ssl_ctx_make_profiles(const char *profiles_string, col ? col - ptr : (int)strlen(ptr))) { sk_SRTP_PROTECTION_PROFILE_push(profiles, p); } else { - SSLerror(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); + SSLerrorx(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); sk_SRTP_PROTECTION_PROFILE_free(profiles); return 1; } @@ -262,12 +262,12 @@ ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) if (p) { if (ct == 0) { - SSLerror(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); + SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); return 1; } if ((2 + ct * 2 + 1) > maxlen) { - SSLerror(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); + SSLerror(s, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); return 1; } @@ -300,7 +300,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len, CBS cbs, ciphers, mki; if (len < 0) { - SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); *al = SSL_AD_DECODE_ERROR; goto done; } @@ -309,7 +309,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len, /* Pull off the cipher suite list */ if (!CBS_get_u16_length_prefixed(&cbs, &ciphers) || CBS_len(&ciphers) % 2) { - SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); *al = SSL_AD_DECODE_ERROR; goto done; } @@ -318,7 +318,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len, while (CBS_len(&ciphers) > 0) { if (!CBS_get_u16(&ciphers, &id)) { - SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); *al = SSL_AD_DECODE_ERROR; goto done; } @@ -332,7 +332,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len, /* Extract the MKI value as a sanity check, but discard it for now. */ if (!CBS_get_u8_length_prefixed(&cbs, &mki) || CBS_len(&cbs) != 0) { - SSLerror(SSL_R_BAD_SRTP_MKI_VALUE); + SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); *al = SSL_AD_DECODE_ERROR; goto done; } @@ -373,12 +373,12 @@ ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) { if (p) { if (maxlen < 5) { - SSLerror(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); + SSLerror(s, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); return 1; } if (s->internal->srtp_profile == 0) { - SSLerror(SSL_R_USE_SRTP_NOT_NEGOTIATED); + SSLerror(s, SSL_R_USE_SRTP_NOT_NEGOTIATED); return 1; } s2n(2, p); @@ -401,7 +401,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int CBS cbs, profile_ids, mki; if (len < 0) { - SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); *al = SSL_AD_DECODE_ERROR; return 1; } @@ -414,14 +414,14 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int */ if (!CBS_get_u16_length_prefixed(&cbs, &profile_ids) || !CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { - SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); *al = SSL_AD_DECODE_ERROR; return 1; } /* Must be no MKI, since we never offer one. */ if (!CBS_get_u8_length_prefixed(&cbs, &mki) || CBS_len(&mki) != 0) { - SSLerror(SSL_R_BAD_SRTP_MKI_VALUE); + SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); *al = SSL_AD_ILLEGAL_PARAMETER; return 1; } @@ -430,7 +430,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int /* Throw an error if the server gave us an unsolicited extension. */ if (clnt == NULL) { - SSLerror(SSL_R_NO_SRTP_PROFILES); + SSLerror(s, SSL_R_NO_SRTP_PROFILES); *al = SSL_AD_DECODE_ERROR; return 1; } @@ -449,7 +449,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int } } - SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); *al = SSL_AD_DECODE_ERROR; return 1; } diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index fa860b8d5ac..860a5fc4e3d 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.83 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.84 2017/02/07 02:08:38 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -202,7 +202,7 @@ dtls1_accept(SSL *s) D1I(s)->listen = listen; if (s->cert == NULL) { - SSLerror(SSL_R_NO_CERTIFICATE_SET); + SSLerror(s, SSL_R_NO_CERTIFICATE_SET); ret = -1; goto end; } @@ -225,7 +225,7 @@ dtls1_accept(SSL *s) cb(s, SSL_CB_HANDSHAKE_START, 1); if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); ret = -1; goto end; } @@ -506,7 +506,7 @@ dtls1_accept(SSL *s) * at this point and digest cached records. */ if (!S3I(s)->handshake_buffer) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); ret = -1; goto end; } @@ -658,7 +658,7 @@ dtls1_accept(SSL *s) /* break; */ default: - SSLerror(SSL_R_UNKNOWN_STATE); + SSLerror(s, SSL_R_UNKNOWN_STATE); ret = -1; goto end; /* break; */ @@ -705,7 +705,7 @@ dtls1_send_hello_verify_request(SSL *s) if (s->ctx->internal->app_gen_cookie_cb == NULL || s->ctx->internal->app_gen_cookie_cb(s, D1I(s)->cookie, &(D1I(s)->cookie_len)) == 0) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return 0; } diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index fbc2d511d3a..d18a2388c34 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.134 2017/02/05 15:06:05 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.135 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1980,7 +1980,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) if (cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) { if (!ssl_cert_inst(&s->cert)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); return (0); } } @@ -2009,17 +2009,17 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; case SSL_CTRL_SET_TMP_RSA: case SSL_CTRL_SET_TMP_RSA_CB: - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); break; case SSL_CTRL_SET_TMP_DH: { DH *dh = (DH *)parg; if (dh == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); return (ret); } if ((dh = DHparams_dup(dh)) == NULL) { - SSLerror(ERR_R_DH_LIB); + SSLerror(s, ERR_R_DH_LIB); return (ret); } DH_free(s->cert->dh_tmp); @@ -2029,7 +2029,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; case SSL_CTRL_SET_TMP_DH_CB: - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (ret); case SSL_CTRL_SET_DH_AUTO: @@ -2041,18 +2041,18 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EC_KEY *ecdh = NULL; if (parg == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); return (ret); } if (!EC_KEY_up_ref((EC_KEY *)parg)) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); return (ret); } ecdh = (EC_KEY *)parg; if (!(s->internal->options & SSL_OP_SINGLE_ECDH_USE)) { if (!EC_KEY_generate_key(ecdh)) { EC_KEY_free(ecdh); - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); return (ret); } } @@ -2063,7 +2063,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; case SSL_CTRL_SET_TMP_ECDH_CB: { - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (ret); } break; @@ -2076,16 +2076,16 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) if (parg == NULL) break; if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { - SSLerror(SSL_R_SSL3_EXT_INVALID_SERVERNAME); + SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } if ((s->tlsext_hostname = strdup((char *)parg)) == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return 0; } } else { - SSLerror(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); + SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); return 0; } break; @@ -2173,14 +2173,14 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) if (cmd == SSL_CTRL_SET_TMP_DH_CB) { if (!ssl_cert_inst(&s->cert)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); return (0); } } switch (cmd) { case SSL_CTRL_SET_TMP_RSA_CB: - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); break; case SSL_CTRL_SET_TMP_DH_CB: s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -2210,7 +2210,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (0); case SSL_CTRL_SET_TMP_RSA: case SSL_CTRL_SET_TMP_RSA_CB: - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); case SSL_CTRL_SET_TMP_DH: { @@ -2218,7 +2218,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) dh = (DH *)parg; if ((new = DHparams_dup(dh)) == NULL) { - SSLerror(ERR_R_DH_LIB); + SSLerrorx(ERR_R_DH_LIB); return 0; } DH_free(cert->dh_tmp); @@ -2228,7 +2228,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) /*break; */ case SSL_CTRL_SET_TMP_DH_CB: - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); case SSL_CTRL_SET_DH_AUTO: @@ -2240,18 +2240,18 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) EC_KEY *ecdh = NULL; if (parg == NULL) { - SSLerror(ERR_R_ECDH_LIB); + SSLerrorx(ERR_R_ECDH_LIB); return 0; } ecdh = EC_KEY_dup((EC_KEY *)parg); if (ecdh == NULL) { - SSLerror(ERR_R_EC_LIB); + SSLerrorx(ERR_R_EC_LIB); return 0; } if (!(ctx->internal->options & SSL_OP_SINGLE_ECDH_USE)) { if (!EC_KEY_generate_key(ecdh)) { EC_KEY_free(ecdh); - SSLerror(ERR_R_ECDH_LIB); + SSLerrorx(ERR_R_ECDH_LIB); return 0; } } @@ -2263,7 +2263,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) /* break; */ case SSL_CTRL_SET_TMP_ECDH_CB: { - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } break; @@ -2277,7 +2277,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) if (!keys) return 48; if (larg != 48) { - SSLerror(SSL_R_INVALID_TICKET_KEYS_LENGTH); + SSLerrorx(SSL_R_INVALID_TICKET_KEYS_LENGTH); return 0; } if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { @@ -2356,7 +2356,7 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) switch (cmd) { case SSL_CTRL_SET_TMP_RSA_CB: - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); case SSL_CTRL_SET_TMP_DH_CB: cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c index bcd1ddf83c8..4014bf6fe66 100644 --- a/lib/libssl/ssl_asn1.c +++ b/lib/libssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.48 2017/01/26 10:40:21 beck Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.49 2017/02/07 02:08:38 beck Exp $ */ /* * Copyright (c) 2016 Joel Sing <jsing@openbsd.org> @@ -232,7 +232,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) if (s == NULL) { if ((s = SSL_SESSION_new()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } } diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c index 2d79c24c86f..14fd121d53b 100644 --- a/lib/libssl/ssl_both.c +++ b/lib/libssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.5 2017/01/29 15:20:18 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.6 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -244,7 +244,7 @@ ssl3_get_finished(SSL *s, int a, int b) /* If this occurs, we have missed a message */ if (!S3I(s)->change_cipher_spec) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_GOT_A_FIN_BEFORE_A_CCS); + SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS); goto f_err; } S3I(s)->change_cipher_spec = 0; @@ -253,7 +253,7 @@ ssl3_get_finished(SSL *s, int a, int b) if (n < 0) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_DIGEST_LENGTH); + SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); goto f_err; } @@ -262,13 +262,13 @@ ssl3_get_finished(SSL *s, int a, int b) if (S3I(s)->tmp.peer_finish_md_len != md_len || CBS_len(&cbs) != md_len) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_DIGEST_LENGTH); + SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); goto f_err; } if (!CBS_mem_equal(&cbs, S3I(s)->tmp.peer_finish_md, CBS_len(&cbs))) { al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_DIGEST_CHECK_FAILED); + SSLerror(s, SSL_R_DIGEST_CHECK_FAILED); goto f_err; } @@ -365,7 +365,7 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x) if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store, x, NULL)) { - SSLerror(ERR_R_X509_LIB); + SSLerror(s, ERR_R_X509_LIB); goto err; } X509_verify_cert(&xs_ctx); @@ -419,7 +419,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) S3I(s)->tmp.reuse_message = 0; if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_MESSAGE); + SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto f_err; } *ok = 1; @@ -471,25 +471,25 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) if ((mt >= 0) && (*p != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_MESSAGE); + SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto f_err; } CBS_init(&cbs, p, 4); if (!CBS_get_u8(&cbs, &u8) || !CBS_get_u24(&cbs, &l)) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(s, ERR_R_BUF_LIB); goto err; } S3I(s)->tmp.message_type = u8; if (l > (unsigned long)max) { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE); + SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE); goto f_err; } if (l && !BUF_MEM_grow_clean(s->internal->init_buf, l + 4)) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(s, ERR_R_BUF_LIB); goto err; } S3I(s)->tmp.message_size = l; @@ -679,7 +679,7 @@ ssl3_setup_read_buffer(SSL *s) return 1; err: - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); return 0; } @@ -712,7 +712,7 @@ ssl3_setup_write_buffer(SSL *s) return 1; err: - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); return 0; } diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index 73683d40993..83a9f2e92dc 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.63 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.64 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -178,7 +178,7 @@ ssl_cert_new(void) ret = calloc(1, sizeof(CERT)); if (ret == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]); @@ -195,7 +195,7 @@ ssl_cert_dup(CERT *cert) ret = calloc(1, sizeof(CERT)); if (ret == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } @@ -212,13 +212,13 @@ ssl_cert_dup(CERT *cert) if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { - SSLerror(ERR_R_DH_LIB); + SSLerrorx(ERR_R_DH_LIB); goto err; } if (cert->dh_tmp->priv_key) { BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); if (!b) { - SSLerror(ERR_R_BN_LIB); + SSLerrorx(ERR_R_BN_LIB); goto err; } ret->dh_tmp->priv_key = b; @@ -226,7 +226,7 @@ ssl_cert_dup(CERT *cert) if (cert->dh_tmp->pub_key) { BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); if (!b) { - SSLerror(ERR_R_BN_LIB); + SSLerrorx(ERR_R_BN_LIB); goto err; } ret->dh_tmp->pub_key = b; @@ -238,7 +238,7 @@ ssl_cert_dup(CERT *cert) if (cert->ecdh_tmp) { ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); if (ret->ecdh_tmp == NULL) { - SSLerror(ERR_R_EC_LIB); + SSLerrorx(ERR_R_EC_LIB); goto err; } } @@ -284,7 +284,7 @@ ssl_cert_dup(CERT *cert) default: /* Can't happen. */ - SSLerror(SSL_R_LIBRARY_BUG); + SSLerrorx(SSL_R_LIBRARY_BUG); } } } @@ -354,12 +354,12 @@ ssl_cert_inst(CERT **o) */ if (o == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); return (0); } if (*o == NULL) { if ((*o = ssl_cert_new()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (0); } } @@ -374,7 +374,7 @@ ssl_sess_cert_new(void) ret = calloc(1, sizeof *ret); if (ret == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return NULL; } ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); @@ -418,7 +418,7 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) x = sk_X509_value(sk, 0); if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) { - SSLerror(ERR_R_X509_LIB); + SSLerror(s, ERR_R_X509_LIB); return (0); } X509_STORE_CTX_set_ex_data(&ctx, @@ -574,7 +574,7 @@ SSL_load_client_CA_file(const char *file) in = BIO_new(BIO_s_file_internal()); if ((sk == NULL) || (in == NULL)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); goto err; } @@ -587,7 +587,7 @@ SSL_load_client_CA_file(const char *file) if (ret == NULL) { ret = sk_X509_NAME_new_null(); if (ret == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); goto err; } } @@ -642,7 +642,7 @@ SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, in = BIO_new(BIO_s_file_internal()); if (in == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); goto err; } @@ -711,7 +711,7 @@ SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) if (!ret) { SYSerror(errno); ERR_asprintf_error_data("opendir ('%s')", dir); - SSLerror(ERR_R_SYS_LIB); + SSLerrorx(ERR_R_SYS_LIB); } return ret; } diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index f167244eb4f..9808c7c37fc 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.92 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.93 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1072,7 +1072,7 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) number_uses = calloc((max_strength_bits + 1), sizeof(int)); if (!number_uses) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (0); } @@ -1162,7 +1162,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, * it is no command or separator nor * alphanumeric, so we call this an error. */ - SSLerror(SSL_R_INVALID_COMMAND); + SSLerrorx(SSL_R_INVALID_COMMAND); retval = found = 0; l++; break; @@ -1308,7 +1308,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) ok = ssl_cipher_strength_sort(head_p, tail_p); else - SSLerror(SSL_R_INVALID_COMMAND); + SSLerrorx(SSL_R_INVALID_COMMAND); if (ok == 0) retval = 0; /* @@ -1377,7 +1377,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, num_of_ciphers = ssl_method->num_ciphers(); co_list = reallocarray(NULL, num_of_ciphers, sizeof(CIPHER_ORDER)); if (co_list == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } @@ -1457,7 +1457,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, ca_list = reallocarray(NULL, num_of_alias_max, sizeof(SSL_CIPHER *)); if (ca_list == NULL) { free(co_list); - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 6f2edf5d904..7f4d6582dad 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.4 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.5 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -211,7 +211,7 @@ ssl3_connect(SSL *s) cb(s, SSL_CB_HANDSHAKE_START, 1); if ((s->version & 0xff00 ) != 0x0300) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); ret = -1; goto end; } @@ -550,7 +550,7 @@ ssl3_connect(SSL *s) /* break; */ default: - SSLerror(SSL_R_UNKNOWN_STATE); + SSLerror(s, SSL_R_UNKNOWN_STATE); ret = -1; goto end; /* break; */ @@ -595,7 +595,7 @@ ssl3_client_hello(SSL *s) SSL_SESSION *sess = s->session; if (ssl_supported_version_range(s, NULL, &max_version) != 1) { - SSLerror(SSL_R_NO_PROTOCOLS_AVAILABLE); + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return (-1); } s->client_version = s->version = max_version; @@ -665,7 +665,7 @@ ssl3_client_hello(SSL *s) *(p++) = i; if (i != 0) { if (i > (int)sizeof(s->session->session_id)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } memcpy(p, s->session->session_id, i); @@ -675,7 +675,7 @@ ssl3_client_hello(SSL *s) /* DTLS Cookie. */ if (SSL_IS_DTLS(s)) { if (D1I(s)->cookie_len > sizeof(D1I(s)->cookie)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } *(p++) = D1I(s)->cookie_len; @@ -688,7 +688,7 @@ ssl3_client_hello(SSL *s) bufend - &p[2], &outlen)) goto err; if (outlen == 0) { - SSLerror(SSL_R_NO_CIPHERS_AVAILABLE); + SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); goto err; } s2n(outlen, p); @@ -700,7 +700,7 @@ ssl3_client_hello(SSL *s) /* TLS extensions*/ if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -752,7 +752,7 @@ ssl3_get_server_hello(SSL *s) } else { /* Already sent a cookie. */ al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_BAD_MESSAGE_TYPE); + SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); goto f_err; } } @@ -760,7 +760,7 @@ ssl3_get_server_hello(SSL *s) if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_HELLO) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_BAD_MESSAGE_TYPE); + SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); goto f_err; } @@ -768,12 +768,12 @@ ssl3_get_server_hello(SSL *s) goto truncated; if (ssl_supported_version_range(s, &min_version, &max_version) != 1) { - SSLerror(SSL_R_NO_PROTOCOLS_AVAILABLE); + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); goto err; } if (server_version < min_version || server_version > max_version) { - SSLerror(SSL_R_WRONG_SSL_VERSION); + SSLerror(s, SSL_R_WRONG_SSL_VERSION); s->version = (s->version & 0xff00) | (server_version & 0xff); al = SSL_AD_PROTOCOL_VERSION; goto f_err; @@ -783,7 +783,7 @@ ssl3_get_server_hello(SSL *s) if ((method = tls1_get_client_method(server_version)) == NULL) method = dtls1_get_client_method(server_version); if (method == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } s->method = method; @@ -802,7 +802,7 @@ ssl3_get_server_hello(SSL *s) if ((CBS_len(&session_id) > sizeof(s->session->session_id)) || (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE)) { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_SSL3_SESSION_ID_TOO_LONG); + SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG); goto f_err; } @@ -834,7 +834,7 @@ ssl3_get_server_hello(SSL *s) s->sid_ctx, s->sid_ctx_length) != 0) { /* actually a client application bug */ al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); + SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; } s->s3->flags |= SSL3_FLAGS_CCS_OK; @@ -866,7 +866,7 @@ ssl3_get_server_hello(SSL *s) if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_UNKNOWN_CIPHER_RETURNED); + SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED); goto f_err; } @@ -874,7 +874,7 @@ ssl3_get_server_hello(SSL *s) if ((cipher->algorithm_ssl & SSL_TLSV1_2) && (TLS1_get_version(s) < TLS1_2_VERSION)) { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_WRONG_CIPHER_RETURNED); + SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); goto f_err; } @@ -883,7 +883,7 @@ ssl3_get_server_hello(SSL *s) if (i < 0) { /* we did not say we would use this cipher */ al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_WRONG_CIPHER_RETURNED); + SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); goto f_err; } @@ -896,7 +896,7 @@ ssl3_get_server_hello(SSL *s) s->session->cipher_id = s->session->cipher->id; if (s->internal->hit && (s->session->cipher_id != cipher->id)) { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); + SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); goto f_err; } S3I(s)->tmp.new_cipher = cipher; @@ -917,7 +917,7 @@ ssl3_get_server_hello(SSL *s) if (compression_method != 0) { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); goto f_err; } @@ -925,11 +925,11 @@ ssl3_get_server_hello(SSL *s) p = (unsigned char *)CBS_data(&cbs); if (!ssl_parse_serverhello_tlsext(s, &p, CBS_len(&cbs), &al)) { /* 'al' set by ssl_parse_serverhello_tlsext */ - SSLerror(SSL_R_PARSE_TLSEXT); + SSLerror(s, SSL_R_PARSE_TLSEXT); goto f_err; } if (ssl_check_serverhello_tlsext(s) <= 0) { - SSLerror(SSL_R_SERVERHELLO_TLSEXT); + SSLerror(s, SSL_R_SERVERHELLO_TLSEXT); goto err; } @@ -942,7 +942,7 @@ ssl3_get_server_hello(SSL *s) truncated: /* wrong packet length */ al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: @@ -974,13 +974,13 @@ ssl3_get_server_certificate(SSL *s) if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_BAD_MESSAGE_TYPE); + SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); goto f_err; } if ((sk = sk_X509_new_null()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -994,7 +994,7 @@ ssl3_get_server_certificate(SSL *s) if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) || CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_LENGTH_MISMATCH); + SSLerror(s, SSL_R_LENGTH_MISMATCH); goto f_err; } @@ -1005,7 +1005,7 @@ ssl3_get_server_certificate(SSL *s) goto truncated; if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_CERT_LENGTH_MISMATCH); + SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } @@ -1013,16 +1013,16 @@ ssl3_get_server_certificate(SSL *s) x = d2i_X509(NULL, &q, CBS_len(&cert)); if (x == NULL) { al = SSL_AD_BAD_CERTIFICATE; - SSLerror(ERR_R_ASN1_LIB); + SSLerror(s, ERR_R_ASN1_LIB); goto f_err; } if (q != CBS_data(&cert) + CBS_len(&cert)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_CERT_LENGTH_MISMATCH); + SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } if (!sk_X509_push(sk, x)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } x = NULL; @@ -1031,7 +1031,7 @@ ssl3_get_server_certificate(SSL *s) i = ssl_verify_cert_chain(s, sk); if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { al = ssl_verify_alarm_type(s->verify_result); - SSLerror(SSL_R_CERTIFICATE_VERIFY_FAILED); + SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED); goto f_err; } @@ -1057,7 +1057,7 @@ ssl3_get_server_certificate(SSL *s) if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { x = NULL; al = SSL3_AL_FATAL; - SSLerror(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); + SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); goto f_err; } @@ -1065,7 +1065,7 @@ ssl3_get_server_certificate(SSL *s) if (i < 0) { x = NULL; al = SSL3_AL_FATAL; - SSLerror(SSL_R_UNKNOWN_CERTIFICATE_TYPE); + SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE); goto f_err; } @@ -1091,7 +1091,7 @@ ssl3_get_server_certificate(SSL *s) truncated: /* wrong packet length */ al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } @@ -1122,21 +1122,21 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) CBS_init(&cbs, *pp, *nn); if ((dh = DH_new()) == NULL) { - SSLerror(ERR_R_DH_LIB); + SSLerror(s, ERR_R_DH_LIB); goto err; } if (!CBS_get_u16_length_prefixed(&cbs, &dhp)) goto truncated; if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) { - SSLerror(ERR_R_BN_LIB); + SSLerror(s, ERR_R_BN_LIB); goto err; } if (!CBS_get_u16_length_prefixed(&cbs, &dhg)) goto truncated; if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) { - SSLerror(ERR_R_BN_LIB); + SSLerror(s, ERR_R_BN_LIB); goto err; } @@ -1144,7 +1144,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) goto truncated; if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk), NULL)) == NULL) { - SSLerror(ERR_R_BN_LIB); + SSLerror(s, ERR_R_BN_LIB); goto err; } @@ -1153,7 +1153,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) * Discard keys weaker than 1024 bits. */ if (DH_size(dh) < 1024 / 8) { - SSLerror(SSL_R_BAD_DH_P_LENGTH); + SSLerror(s, SSL_R_BAD_DH_P_LENGTH); goto err; } @@ -1174,7 +1174,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) truncated: al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); ssl3_send_alert(s, SSL3_AL_FATAL, al); err: @@ -1199,16 +1199,16 @@ ssl3_get_server_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, int nid, CBS *public) */ if ((ecdh = EC_KEY_new()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } if ((ngroup = EC_GROUP_new_by_curve_name(nid)) == NULL) { - SSLerror(ERR_R_EC_LIB); + SSLerror(s, ERR_R_EC_LIB); goto err; } if (EC_KEY_set_group(ecdh, ngroup) == 0) { - SSLerror(ERR_R_EC_LIB); + SSLerror(s, ERR_R_EC_LIB); goto err; } @@ -1216,13 +1216,13 @@ ssl3_get_server_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, int nid, CBS *public) if ((point = EC_POINT_new(group)) == NULL || (bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } if (EC_POINT_oct2point(group, point, CBS_data(public), CBS_len(public), bn_ctx) == 0) { - SSLerror(SSL_R_BAD_ECPOINT); + SSLerror(s, SSL_R_BAD_ECPOINT); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); goto err; } @@ -1248,18 +1248,18 @@ ssl3_get_server_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, int nid, CBS *public) size_t outlen; if (nid != NID_X25519) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } if (CBS_len(public) != X25519_KEY_LENGTH) { - SSLerror(SSL_R_BAD_ECPOINT); + SSLerror(s, SSL_R_BAD_ECPOINT); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); goto err; } if (!CBS_stow(public, &sc->peer_x25519_tmp, &outlen)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -1293,7 +1293,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) curve_type != NAMED_CURVE_TYPE || !CBS_get_u16(&cbs, &curve_id)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_LENGTH_TOO_SHORT); + SSLerror(s, SSL_R_LENGTH_TOO_SHORT); goto f_err; } @@ -1303,13 +1303,13 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) */ if (tls1_check_curve(s, curve_id) != 1) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_WRONG_CURVE); + SSLerror(s, SSL_R_WRONG_CURVE); goto f_err; } if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) { al = SSL_AD_INTERNAL_ERROR; - SSLerror(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); + SSLerror(s, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); goto f_err; } @@ -1344,7 +1344,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) truncated: al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -1385,7 +1385,7 @@ ssl3_get_server_key_exchange(SSL *s) * ephemeral keys. */ if (alg_k & (SSL_kDHE|SSL_kECDHE)) { - SSLerror(SSL_R_UNEXPECTED_MESSAGE); + SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); al = SSL_AD_UNEXPECTED_MESSAGE; goto f_err; } @@ -1421,7 +1421,7 @@ ssl3_get_server_key_exchange(SSL *s) goto err; } else if (alg_k != 0) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_MESSAGE); + SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto f_err; } @@ -1433,7 +1433,7 @@ ssl3_get_server_key_exchange(SSL *s) int sigalg = tls12_get_sigid(pkey); /* Should never happen */ if (sigalg == -1) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } /* @@ -1443,13 +1443,13 @@ ssl3_get_server_key_exchange(SSL *s) if (2 > n) goto truncated; if (sigalg != (int)p[1]) { - SSLerror(SSL_R_WRONG_SIGNATURE_TYPE); + SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); al = SSL_AD_DECODE_ERROR; goto f_err; } md = tls12_get_hash(p[0]); if (md == NULL) { - SSLerror(SSL_R_UNKNOWN_DIGEST); + SSLerror(s, SSL_R_UNKNOWN_DIGEST); al = SSL_AD_DECODE_ERROR; goto f_err; } @@ -1467,7 +1467,7 @@ ssl3_get_server_key_exchange(SSL *s) if (i != n || n > j) { /* wrong packet length */ al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_WRONG_SIGNATURE_LENGTH); + SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH); goto f_err; } @@ -1499,13 +1499,13 @@ ssl3_get_server_key_exchange(SSL *s) p, n, pkey->pkey.rsa); if (i < 0) { al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_BAD_RSA_DECRYPT); + SSLerror(s, SSL_R_BAD_RSA_DECRYPT); goto f_err; } if (i == 0) { /* bad signature */ al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_BAD_SIGNATURE); + SSLerror(s, SSL_R_BAD_SIGNATURE); goto f_err; } } else { @@ -1518,20 +1518,20 @@ ssl3_get_server_key_exchange(SSL *s) if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) { /* bad signature */ al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_BAD_SIGNATURE); + SSLerror(s, SSL_R_BAD_SIGNATURE); goto f_err; } } } else { /* aNULL does not need public keys. */ if (!(alg_a & SSL_aNULL)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } /* still data left over */ if (n != 0) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_EXTRA_DATA_IN_MESSAGE); + SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); goto f_err; } } @@ -1544,7 +1544,7 @@ ssl3_get_server_key_exchange(SSL *s) truncated: /* wrong packet length */ al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -1591,14 +1591,14 @@ ssl3_get_certificate_request(SSL *s) if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); - SSLerror(SSL_R_WRONG_MESSAGE_TYPE); + SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); goto err; } /* TLS does not like anon-DH with client cert */ if (S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); - SSLerror(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); + SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); goto err; } @@ -1607,7 +1607,7 @@ ssl3_get_certificate_request(SSL *s) CBS_init(&cert_request, s->internal->init_msg, n); if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -1620,7 +1620,7 @@ ssl3_get_certificate_request(SSL *s) if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) || !CBS_write_bytes(&ctypes, (uint8_t *)S3I(s)->tmp.ctype, sizeof(S3I(s)->tmp.ctype), NULL)) { - SSLerror(SSL_R_DATA_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } @@ -1628,7 +1628,7 @@ ssl3_get_certificate_request(SSL *s) CBS sigalgs; if (CBS_len(&cert_request) < 2) { - SSLerror(SSL_R_DATA_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } @@ -1637,28 +1637,28 @@ ssl3_get_certificate_request(SSL *s) */ if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerror(SSL_R_DATA_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } if ((CBS_len(&sigalgs) & 1) || !tls1_process_sigalgs(s, CBS_data(&sigalgs), CBS_len(&sigalgs))) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerror(SSL_R_SIGNATURE_ALGORITHMS_ERROR); + SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); goto err; } } /* get the CA RDNs */ if (CBS_len(&cert_request) < 2) { - SSLerror(SSL_R_DATA_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) || CBS_len(&cert_request) != 0) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerror(SSL_R_LENGTH_MISMATCH); + SSLerror(s, SSL_R_LENGTH_MISMATCH); goto err; } @@ -1666,13 +1666,13 @@ ssl3_get_certificate_request(SSL *s) CBS rdn; if (CBS_len(&rdn_list) < 2) { - SSLerror(SSL_R_DATA_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerror(SSL_R_CA_DN_TOO_LONG); + SSLerror(s, SSL_R_CA_DN_TOO_LONG); goto err; } @@ -1680,17 +1680,17 @@ ssl3_get_certificate_request(SSL *s) if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerror(ERR_R_ASN1_LIB); + SSLerror(s, ERR_R_ASN1_LIB); goto err; } if (q != CBS_data(&rdn) + CBS_len(&rdn)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerror(SSL_R_CA_DN_LENGTH_MISMATCH); + SSLerror(s, SSL_R_CA_DN_LENGTH_MISMATCH); goto err; } if (!sk_X509_NAME_push(ca_sk, xn)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } xn = NULL; /* avoid free in err block */ @@ -1706,7 +1706,7 @@ ssl3_get_certificate_request(SSL *s) ret = 1; if (0) { truncated: - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); } err: X509_NAME_free(xn); @@ -1739,13 +1739,13 @@ ssl3_get_new_session_ticket(SSL *s) } if (S3I(s)->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_BAD_MESSAGE_TYPE); + SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); goto f_err; } if (n < 0) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_LENGTH_MISMATCH); + SSLerror(s, SSL_R_LENGTH_MISMATCH); goto f_err; } @@ -1757,14 +1757,14 @@ ssl3_get_new_session_ticket(SSL *s) !CBS_get_u16_length_prefixed(&cbs, &session_ticket) || CBS_len(&cbs) != 0) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_LENGTH_MISMATCH); + SSLerror(s, SSL_R_LENGTH_MISMATCH); goto f_err; } s->session->tlsext_tick_lifetime_hint = (long)lifetime_hint; if (!CBS_stow(&session_ticket, &s->session->tlsext_tick, &s->session->tlsext_ticklen)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -1814,7 +1814,7 @@ ssl3_get_cert_status(SSL *s) if (n < 0) { /* need at least status type + length */ al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_LENGTH_MISMATCH); + SSLerror(s, SSL_R_LENGTH_MISMATCH); goto f_err; } @@ -1823,20 +1823,20 @@ ssl3_get_cert_status(SSL *s) CBS_len(&cert_status) < 3) { /* need at least status type + length */ al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_LENGTH_MISMATCH); + SSLerror(s, SSL_R_LENGTH_MISMATCH); goto f_err; } if (status_type != TLSEXT_STATUSTYPE_ocsp) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_UNSUPPORTED_STATUS_TYPE); + SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); goto f_err; } if (!CBS_get_u24_length_prefixed(&cert_status, &response) || CBS_len(&cert_status) != 0) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_LENGTH_MISMATCH); + SSLerror(s, SSL_R_LENGTH_MISMATCH); goto f_err; } @@ -1844,7 +1844,7 @@ ssl3_get_cert_status(SSL *s) &stow_len) || stow_len > INT_MAX) { s->internal->tlsext_ocsp_resplen = 0; al = SSL_AD_INTERNAL_ERROR; - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto f_err; } s->internal->tlsext_ocsp_resplen = (int)stow_len; @@ -1855,12 +1855,12 @@ ssl3_get_cert_status(SSL *s) s->ctx->internal->tlsext_status_arg); if (ret == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; - SSLerror(SSL_R_INVALID_STATUS_RESPONSE); + SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); goto f_err; } if (ret < 0) { al = SSL_AD_INTERNAL_ERROR; - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto f_err; } } @@ -1885,7 +1885,7 @@ ssl3_get_server_done(SSL *s) if (n > 0) { /* should contain no data */ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerror(SSL_R_LENGTH_MISMATCH); + SSLerror(s, SSL_R_LENGTH_MISMATCH); return (-1); } ret = 1; @@ -1909,7 +1909,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); if (pkey == NULL || pkey->type != EVP_PKEY_RSA || pkey->pkey.rsa == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -1918,14 +1918,14 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) arc4random_buf(&pms[2], sizeof(pms) - 2); if ((enc_pms = malloc(RSA_size(pkey->pkey.rsa))) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, pkey->pkey.rsa, RSA_PKCS1_PADDING); if (enc_len <= 0) { - SSLerror(SSL_R_BAD_RSA_ENCRYPT); + SSLerror(s, SSL_R_BAD_RSA_ENCRYPT); goto err; } @@ -1963,28 +1963,28 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) /* Ensure that we have an ephemeral key for DHE. */ if (sess_cert->peer_dh_tmp == NULL) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerror(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); + SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); goto err; } dh_srvr = sess_cert->peer_dh_tmp; /* Generate a new random key. */ if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { - SSLerror(ERR_R_DH_LIB); + SSLerror(s, ERR_R_DH_LIB); goto err; } if (!DH_generate_key(dh_clnt)) { - SSLerror(ERR_R_DH_LIB); + SSLerror(s, ERR_R_DH_LIB); goto err; } key_size = DH_size(dh_clnt); if ((key = malloc(key_size)) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } key_len = DH_compute_key(key, dh_srvr->pub_key, dh_clnt); if (key_len <= 0) { - SSLerror(ERR_R_DH_LIB); + SSLerror(s, ERR_R_DH_LIB); goto err; } @@ -2028,35 +2028,35 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb) if ((group = EC_KEY_get0_group(sc->peer_ecdh_tmp)) == NULL || (point = EC_KEY_get0_public_key(sc->peer_ecdh_tmp)) == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } if ((ecdh = EC_KEY_new()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } if (!EC_KEY_set_group(ecdh, group)) { - SSLerror(ERR_R_EC_LIB); + SSLerror(s, ERR_R_EC_LIB); goto err; } /* Generate a new ECDH key pair. */ if (!(EC_KEY_generate_key(ecdh))) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } if ((key_size = ECDH_size(ecdh)) <= 0) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } if ((key = malloc(key_size)) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); } key_len = ECDH_compute_key(key, key_size, point, ecdh, NULL); if (key_len <= 0) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } @@ -2068,12 +2068,12 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb) encoded_len = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh), POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); if (encoded_len == 0) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } if ((bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -2159,7 +2159,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb) goto err; } else { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -2186,7 +2186,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) /* Get server sertificate PKEY and create ctx from it */ peer_cert = sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509; if (peer_cert == NULL) { - SSLerror(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); + SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); goto err; } @@ -2222,7 +2222,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) */ ukm_hash = EVP_MD_CTX_create(); if (ukm_hash == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -2238,7 +2238,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) EVP_MD_CTX_destroy(ukm_hash); if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { - SSLerror(SSL_R_LIBRARY_BUG); + SSLerror(s, SSL_R_LIBRARY_BUG); goto err; } @@ -2248,7 +2248,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) msglen = 255; if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, 32) < 0) { - SSLerror(SSL_R_LIBRARY_BUG); + SSLerror(s, SSL_R_LIBRARY_BUG); goto err; } @@ -2294,7 +2294,7 @@ ssl3_send_client_key_exchange(SSL *s) if ((sess_cert = SSI(s)->sess_cert) == NULL) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -2317,7 +2317,7 @@ ssl3_send_client_key_exchange(SSL *s) } else { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -2379,14 +2379,14 @@ ssl3_send_client_verify(SSL *s) &hdata); if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } p += 2; if (!EVP_SignInit_ex(&mctx, md, NULL) || !EVP_SignUpdate(&mctx, hdata, hdatalen) || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); goto err; } s2n(u, p); @@ -2399,7 +2399,7 @@ ssl3_send_client_verify(SSL *s) if (RSA_sign(NID_md5_sha1, data, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]), &u, pkey->pkey.rsa) <= 0 ) { - SSLerror(ERR_R_RSA_LIB); + SSLerror(s, ERR_R_RSA_LIB); goto err; } s2n(u, p); @@ -2409,7 +2409,7 @@ ssl3_send_client_verify(SSL *s) &(data[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH, &(p[2]), (unsigned int *)&j, pkey->pkey.dsa)) { - SSLerror(ERR_R_DSA_LIB); + SSLerror(s, ERR_R_DSA_LIB); goto err; } s2n(j, p); @@ -2419,7 +2419,7 @@ ssl3_send_client_verify(SSL *s) &(data[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH, &(p[2]), (unsigned int *)&j, pkey->pkey.ec)) { - SSLerror(ERR_R_ECDSA_LIB); + SSLerror(s, ERR_R_ECDSA_LIB); goto err; } s2n(j, p); @@ -2436,12 +2436,12 @@ ssl3_send_client_verify(SSL *s) hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); if (hdatalen <= 0) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || !(md = EVP_get_digestbynid(nid))) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); goto err; } if (!EVP_DigestInit_ex(&mctx, md, NULL) || @@ -2454,7 +2454,7 @@ ssl3_send_client_verify(SSL *s) NULL) <= 0) || (EVP_PKEY_sign(pctx, &(p[2]), &sigsize, signbuf, u) <= 0)) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); goto err; } if (!tls1_digest_cached_records(s)) @@ -2464,7 +2464,7 @@ ssl3_send_client_verify(SSL *s) n = j + 2; #endif } else { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -2522,7 +2522,7 @@ ssl3_send_client_certificate(SSL *s) i = 0; } else if (i == 1) { i = 0; - SSLerror(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); + SSLerror(s, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); } X509_free(x509); @@ -2576,7 +2576,7 @@ ssl3_check_cert_and_algorithm(SSL *s) sc = SSI(s)->sess_cert; if (sc == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } dh = SSI(s)->sess_cert->peer_dh_tmp; @@ -2588,7 +2588,7 @@ ssl3_check_cert_and_algorithm(SSL *s) if (ssl_check_srvr_ecc_cert_and_alg( sc->peer_pkeys[idx].x509, s) == 0) { /* check failed */ - SSLerror(SSL_R_BAD_ECC_CERT); + SSLerror(s, SSL_R_BAD_ECC_CERT); goto f_err; } else { return (1); @@ -2600,21 +2600,21 @@ ssl3_check_cert_and_algorithm(SSL *s) /* Check that we have a certificate if we require one. */ if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { - SSLerror(SSL_R_MISSING_RSA_SIGNING_CERT); + SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT); goto f_err; } else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { - SSLerror(SSL_R_MISSING_DSA_SIGNING_CERT); + SSLerror(s, SSL_R_MISSING_DSA_SIGNING_CERT); goto f_err; } if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) { - SSLerror(SSL_R_MISSING_RSA_ENCRYPTING_CERT); + SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT); goto f_err; } if ((alg_k & SSL_kDHE) && !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { - SSLerror(SSL_R_MISSING_DH_KEY); + SSLerror(s, SSL_R_MISSING_DH_KEY); goto f_err; } diff --git a/lib/libssl/ssl_err.c b/lib/libssl/ssl_err.c index 525ba2146b9..f9e450125b4 100644 --- a/lib/libssl/ssl_err.c +++ b/lib/libssl/ssl_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_err.c,v 1.32 2017/01/26 10:40:21 beck Exp $ */ +/* $OpenBSD: ssl_err.c,v 1.33 2017/02/07 02:08:38 beck Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -69,8 +69,94 @@ #define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0) #define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason) +/* See SSL_state_func_code below */ static ERR_STRING_DATA SSL_str_functs[]= { - {ERR_FUNC(0xfff), "SSL_internal"}, + {ERR_FUNC(1), "CONNECT_CW_FLUSH"}, + {ERR_FUNC(2), "CONNECT_CW_CLNT_HELLO"}, + {ERR_FUNC(3), "CONNECT_CW_CLNT_HELLO"}, + {ERR_FUNC(4), "CONNECT_CR_SRVR_HELLO"}, + {ERR_FUNC(5), "CONNECT_CR_SRVR_HELLO"}, + {ERR_FUNC(6), "CONNECT_CR_CERT"}, + {ERR_FUNC(7), "CONNECT_CR_CERT"}, + {ERR_FUNC(8), "CONNECT_CR_KEY_EXCH"}, + {ERR_FUNC(9), "CONNECT_CR_KEY_EXCH"}, + {ERR_FUNC(10), "CONNECT_CR_CERT_REQ"}, + {ERR_FUNC(11), "CONNECT_CR_CERT_REQ"}, + {ERR_FUNC(12), "CONNECT_CR_SRVR_DONE"}, + {ERR_FUNC(13), "CONNECT_CR_SRVR_DONE"}, + {ERR_FUNC(14), "CONNECT_CW_CERT"}, + {ERR_FUNC(15), "CONNECT_CW_CERT"}, + {ERR_FUNC(16), "CONNECT_CW_CERT_C"}, + {ERR_FUNC(17), "CONNECT_CW_CERT_D"}, + {ERR_FUNC(18), "CONNECT_CW_KEY_EXCH"}, + {ERR_FUNC(19), "CONNECT_CW_KEY_EXCH"}, + {ERR_FUNC(20), "CONNECT_CW_CERT_VRFY"}, + {ERR_FUNC(21), "CONNECT_CW_CERT_VRFY"}, + {ERR_FUNC(22), "CONNECT_CW_CHANGE"}, + {ERR_FUNC(23), "CONNECT_CW_CHANGE"}, + {ERR_FUNC(24), "CONNECT_CW_NEXT_PROTO"}, + {ERR_FUNC(25), "CONNECT_CW_NEXT_PROTO"}, + {ERR_FUNC(26), "CONNECT_CW_FINISHED"}, + {ERR_FUNC(27), "CONNECT_CW_FINISHED"}, + {ERR_FUNC(28), "CONNECT_CR_CHANGE"}, + {ERR_FUNC(29), "CONNECT_CR_CHANGE"}, + {ERR_FUNC(30), "CONNECT_CR_FINISHED"}, + {ERR_FUNC(31), "CONNECT_CR_FINISHED"}, + {ERR_FUNC(32), "CONNECT_CR_SESSION_TICKET"}, + {ERR_FUNC(33), "CONNECT_CR_SESSION_TICKET"}, + {ERR_FUNC(34), "CONNECT_CR_CERT_STATUS"}, + {ERR_FUNC(35), "CONNECT_CR_CERT_STATUS"}, + {ERR_FUNC(36), "ACCEPT_SW_FLUSH"}, + {ERR_FUNC(37), "ACCEPT_SR_CLNT_HELLO"}, + {ERR_FUNC(38), "ACCEPT_SR_CLNT_HELLO"}, + {ERR_FUNC(39), "ACCEPT_SR_CLNT_HELLO_C"}, + {ERR_FUNC(40), "ACCEPT_SW_HELLO_REQ"}, + {ERR_FUNC(41), "ACCEPT_SW_HELLO_REQ"}, + {ERR_FUNC(42), "ACCEPT_SW_HELLO_REQ_C"}, + {ERR_FUNC(43), "ACCEPT_SW_SRVR_HELLO"}, + {ERR_FUNC(44), "ACCEPT_SW_SRVR_HELLO"}, + {ERR_FUNC(45), "ACCEPT_SW_CERT"}, + {ERR_FUNC(46), "ACCEPT_SW_CERT"}, + {ERR_FUNC(47), "ACCEPT_SW_KEY_EXCH"}, + {ERR_FUNC(48), "ACCEPT_SW_KEY_EXCH"}, + {ERR_FUNC(49), "ACCEPT_SW_CERT_REQ"}, + {ERR_FUNC(50), "ACCEPT_SW_CERT_REQ"}, + {ERR_FUNC(51), "ACCEPT_SW_SRVR_DONE"}, + {ERR_FUNC(52), "ACCEPT_SW_SRVR_DONE"}, + {ERR_FUNC(53), "ACCEPT_SR_CERT"}, + {ERR_FUNC(54), "ACCEPT_SR_CERT"}, + {ERR_FUNC(55), "ACCEPT_SR_KEY_EXCH"}, + {ERR_FUNC(56), "ACCEPT_SR_KEY_EXCH"}, + {ERR_FUNC(57), "ACCEPT_SR_CERT_VRFY"}, + {ERR_FUNC(58), "ACCEPT_SR_CERT_VRFY"}, + {ERR_FUNC(59), "ACCEPT_SR_CHANGE"}, + {ERR_FUNC(60), "ACCEPT_SR_CHANGE"}, + {ERR_FUNC(61), "ACCEPT_SR_NEXT_PROTO"}, + {ERR_FUNC(62), "ACCEPT_SR_NEXT_PROTO"}, + {ERR_FUNC(63), "ACCEPT_SR_FINISHED"}, + {ERR_FUNC(64), "ACCEPT_SR_FINISHED"}, + {ERR_FUNC(65), "ACCEPT_SW_CHANGE"}, + {ERR_FUNC(66), "ACCEPT_SW_CHANGE"}, + {ERR_FUNC(67), "ACCEPT_SW_FINISHED"}, + {ERR_FUNC(68), "ACCEPT_SW_FINISHED"}, + {ERR_FUNC(69), "ACCEPT_SW_SESSION_TICKET"}, + {ERR_FUNC(70), "ACCEPT_SW_SESSION_TICKET"}, + {ERR_FUNC(71), "ACCEPT_SW_CERT_STATUS"}, + {ERR_FUNC(72), "ACCEPT_SW_CERT_STATUS"}, + {ERR_FUNC(73), "ST_BEFORE"}, + {ERR_FUNC(74), "ST_ACCEPT"}, + {ERR_FUNC(75), "ST_CONNECT"}, + {ERR_FUNC(76), "ST_OK"}, + {ERR_FUNC(77), "ST_RENEGOTIATE"}, + {ERR_FUNC(78), "ST_BEFORE_CONNECT"}, + {ERR_FUNC(79), "ST_OK_CONNECT"}, + {ERR_FUNC(80), "ST_BEFORE_ACCEPT"}, + {ERR_FUNC(81), "ST_OK_ACCEPT"}, + {ERR_FUNC(83), "DTLS1_ST_CR_HELLO_VERIFY_REQUEST"}, + {ERR_FUNC(84), "DTLS1_ST_CR_HELLO_VERIFY_REQUEST"}, + {ERR_FUNC(85), "DTLS1_ST_SW_HELLO_VERIFY_REQUEST"}, + {ERR_FUNC(86), "DTLS1_ST_SW_HELLO_VERIFY_REQUEST"}, + {ERR_FUNC(0xfff), "(UNKNOWN)SSL_internal"}, {0, NULL} }; @@ -402,3 +488,182 @@ SSL_load_error_strings(void) ERR_load_SSL_strings(); #endif } + +int +SSL_state_func_code(int state) { + switch (state) { + case SSL3_ST_CW_FLUSH: + return 1; + case SSL3_ST_CW_CLNT_HELLO_A: + return 2; + case SSL3_ST_CW_CLNT_HELLO_B: + return 3; + case SSL3_ST_CR_SRVR_HELLO_A: + return 4; + case SSL3_ST_CR_SRVR_HELLO_B: + return 5; + case SSL3_ST_CR_CERT_A: + return 6; + case SSL3_ST_CR_CERT_B: + return 7; + case SSL3_ST_CR_KEY_EXCH_A: + return 8; + case SSL3_ST_CR_KEY_EXCH_B: + return 9; + case SSL3_ST_CR_CERT_REQ_A: + return 10; + case SSL3_ST_CR_CERT_REQ_B: + return 11; + case SSL3_ST_CR_SRVR_DONE_A: + return 12; + case SSL3_ST_CR_SRVR_DONE_B: + return 13; + case SSL3_ST_CW_CERT_A: + return 14; + case SSL3_ST_CW_CERT_B: + return 15; + case SSL3_ST_CW_CERT_C: + return 16; + case SSL3_ST_CW_CERT_D: + return 17; + case SSL3_ST_CW_KEY_EXCH_A: + return 18; + case SSL3_ST_CW_KEY_EXCH_B: + return 19; + case SSL3_ST_CW_CERT_VRFY_A: + return 20; + case SSL3_ST_CW_CERT_VRFY_B: + return 21; + case SSL3_ST_CW_CHANGE_A: + return 22; + case SSL3_ST_CW_CHANGE_B: + return 23; + case SSL3_ST_CW_NEXT_PROTO_A: + return 24; + case SSL3_ST_CW_NEXT_PROTO_B: + return 25; + case SSL3_ST_CW_FINISHED_A: + return 26; + case SSL3_ST_CW_FINISHED_B: + return 27; + case SSL3_ST_CR_CHANGE_A: + return 28; + case SSL3_ST_CR_CHANGE_B: + return 29; + case SSL3_ST_CR_FINISHED_A: + return 30; + case SSL3_ST_CR_FINISHED_B: + return 31; + case SSL3_ST_CR_SESSION_TICKET_A: + return 32; + case SSL3_ST_CR_SESSION_TICKET_B: + return 33; + case SSL3_ST_CR_CERT_STATUS_A: + return 34; + case SSL3_ST_CR_CERT_STATUS_B: + return 35; + case SSL3_ST_SW_FLUSH: + return 36; + case SSL3_ST_SR_CLNT_HELLO_A: + return 37; + case SSL3_ST_SR_CLNT_HELLO_B: + return 38; + case SSL3_ST_SR_CLNT_HELLO_C: + return 39; + case SSL3_ST_SW_HELLO_REQ_A: + return 40; + case SSL3_ST_SW_HELLO_REQ_B: + return 41; + case SSL3_ST_SW_HELLO_REQ_C: + return 42; + case SSL3_ST_SW_SRVR_HELLO_A: + return 43; + case SSL3_ST_SW_SRVR_HELLO_B: + return 44; + case SSL3_ST_SW_CERT_A: + return 45; + case SSL3_ST_SW_CERT_B: + return 46; + case SSL3_ST_SW_KEY_EXCH_A: + return 47; + case SSL3_ST_SW_KEY_EXCH_B: + return 48; + case SSL3_ST_SW_CERT_REQ_A: + return 49; + case SSL3_ST_SW_CERT_REQ_B: + return 50; + case SSL3_ST_SW_SRVR_DONE_A: + return 51; + case SSL3_ST_SW_SRVR_DONE_B: + return 52; + case SSL3_ST_SR_CERT_A: + return 53; + case SSL3_ST_SR_CERT_B: + return 54; + case SSL3_ST_SR_KEY_EXCH_A: + return 55; + case SSL3_ST_SR_KEY_EXCH_B: + return 56; + case SSL3_ST_SR_CERT_VRFY_A: + return 57; + case SSL3_ST_SR_CERT_VRFY_B: + return 58; + case SSL3_ST_SR_CHANGE_A: + return 59; + case SSL3_ST_SR_CHANGE_B: + return 60; + case SSL3_ST_SR_NEXT_PROTO_A: + return 61; + case SSL3_ST_SR_NEXT_PROTO_B: + return 62; + case SSL3_ST_SR_FINISHED_A: + return 63; + case SSL3_ST_SR_FINISHED_B: + return 64; + case SSL3_ST_SW_CHANGE_A: + return 65; + case SSL3_ST_SW_CHANGE_B: + return 66; + case SSL3_ST_SW_FINISHED_A: + return 67; + case SSL3_ST_SW_FINISHED_B: + return 68; + case SSL3_ST_SW_SESSION_TICKET_A: + return 69; + case SSL3_ST_SW_SESSION_TICKET_B: + return 70; + case SSL3_ST_SW_CERT_STATUS_A: + return 71; + case SSL3_ST_SW_CERT_STATUS_B: + return 72; + case SSL_ST_BEFORE: + return 73; + case SSL_ST_ACCEPT: + return 74; + case SSL_ST_CONNECT: + return 75; + case SSL_ST_OK: + return 76; + case SSL_ST_RENEGOTIATE: + return 77; + case SSL_ST_BEFORE|SSL_ST_CONNECT: + return 78; + case SSL_ST_OK|SSL_ST_CONNECT: + return 79; + case SSL_ST_BEFORE|SSL_ST_ACCEPT: + return 80; + case SSL_ST_OK|SSL_ST_ACCEPT: + return 81; + case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: + return 83; + case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: + return 84; + case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: + return 85; + case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: + return 86; + default: + break; + } + return 0xfff; +} diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 898fdbc4799..7e752ae0d0e 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.155 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.156 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -163,7 +163,7 @@ int SSL_clear(SSL *s) { if (s->method == NULL) { - SSLerror(SSL_R_NO_METHOD_SPECIFIED); + SSLerror(s, SSL_R_NO_METHOD_SPECIFIED); return (0); } @@ -177,7 +177,7 @@ SSL_clear(SSL *s) s->internal->shutdown = 0; if (s->internal->renegotiate) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return (0); } @@ -226,7 +226,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), &(ctx->internal->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { - SSLerror(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return (0); } return (1); @@ -238,21 +238,21 @@ SSL_new(SSL_CTX *ctx) SSL *s; if (ctx == NULL) { - SSLerror(SSL_R_NULL_SSL_CTX); + SSLerrorx(SSL_R_NULL_SSL_CTX); return (NULL); } if (ctx->method == NULL) { - SSLerror(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); + SSLerrorx(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); return (NULL); } if ((s = calloc(1, sizeof(*s))) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) { free(s); - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } @@ -371,7 +371,7 @@ SSL_new(SSL_CTX *ctx) err: SSL_free(s); - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } @@ -380,7 +380,7 @@ SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { if (sid_ctx_len > sizeof ctx->sid_ctx) { - SSLerror(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); + SSLerrorx(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return (0); } ctx->sid_ctx_length = sid_ctx_len; @@ -394,7 +394,7 @@ SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { - SSLerror(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); + SSLerror(ssl, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return (0); } ssl->sid_ctx_length = sid_ctx_len; @@ -631,7 +631,7 @@ SSL_set_fd(SSL *s, int fd) bio = BIO_new(BIO_s_socket()); if (bio == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(s, ERR_R_BUF_LIB); goto err; } BIO_set_fd(bio, fd, BIO_NOCLOSE); @@ -652,7 +652,7 @@ SSL_set_wfd(SSL *s, int fd) bio = BIO_new(BIO_s_socket()); if (bio == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(s, ERR_R_BUF_LIB); goto err; } BIO_set_fd(bio, fd, BIO_NOCLOSE); @@ -675,7 +675,7 @@ SSL_set_rfd(SSL *s, int fd) bio = BIO_new(BIO_s_socket()); if (bio == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(s, ERR_R_BUF_LIB); goto err; } BIO_set_fd(bio, fd, BIO_NOCLOSE); @@ -870,11 +870,11 @@ SSL_CTX_check_private_key(const SSL_CTX *ctx) { if ((ctx == NULL) || (ctx->internal->cert == NULL) || (ctx->internal->cert->key->x509 == NULL)) { - SSLerror(SSL_R_NO_CERTIFICATE_ASSIGNED); + SSLerrorx(SSL_R_NO_CERTIFICATE_ASSIGNED); return (0); } if (ctx->internal->cert->key->privatekey == NULL) { - SSLerror(SSL_R_NO_PRIVATE_KEY_ASSIGNED); + SSLerrorx(SSL_R_NO_PRIVATE_KEY_ASSIGNED); return (0); } return (X509_check_private_key(ctx->internal->cert->key->x509, @@ -886,19 +886,19 @@ int SSL_check_private_key(const SSL *ssl) { if (ssl == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); return (0); } if (ssl->cert == NULL) { - SSLerror(SSL_R_NO_CERTIFICATE_ASSIGNED); + SSLerror(ssl, SSL_R_NO_CERTIFICATE_ASSIGNED); return (0); } if (ssl->cert->key->x509 == NULL) { - SSLerror(SSL_R_NO_CERTIFICATE_ASSIGNED); + SSLerror(ssl, SSL_R_NO_CERTIFICATE_ASSIGNED); return (0); } if (ssl->cert->key->privatekey == NULL) { - SSLerror(SSL_R_NO_PRIVATE_KEY_ASSIGNED); + SSLerror(ssl, SSL_R_NO_PRIVATE_KEY_ASSIGNED); return (0); } return (X509_check_private_key(ssl->cert->key->x509, @@ -933,7 +933,7 @@ int SSL_read(SSL *s, void *buf, int num) { if (s->internal->handshake_func == NULL) { - SSLerror(SSL_R_UNINITIALIZED); + SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } @@ -948,7 +948,7 @@ int SSL_peek(SSL *s, void *buf, int num) { if (s->internal->handshake_func == NULL) { - SSLerror(SSL_R_UNINITIALIZED); + SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } @@ -962,13 +962,13 @@ int SSL_write(SSL *s, const void *buf, int num) { if (s->internal->handshake_func == NULL) { - SSLerror(SSL_R_UNINITIALIZED); + SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } if (s->internal->shutdown & SSL_SENT_SHUTDOWN) { s->internal->rwstate = SSL_NOTHING; - SSLerror(SSL_R_PROTOCOL_IS_SHUTDOWN); + SSLerror(s, SSL_R_PROTOCOL_IS_SHUTDOWN); return (-1); } return (s->method->internal->ssl_write(s, buf, num)); @@ -985,7 +985,7 @@ SSL_shutdown(SSL *s) */ if (s->internal->handshake_func == NULL) { - SSLerror(SSL_R_UNINITIALIZED); + SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } @@ -1297,7 +1297,7 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) if (sk == NULL) return (0); else if (sk_SSL_CIPHER_num(sk) == 0) { - SSLerror(SSL_R_NO_CIPHER_MATCH); + SSLerrorx(SSL_R_NO_CIPHER_MATCH); return (0); } return (1); @@ -1315,7 +1315,7 @@ SSL_set_cipher_list(SSL *s, const char *str) if (sk == NULL) return (0); else if (sk_SSL_CIPHER_num(sk) == 0) { - SSLerror(SSL_R_NO_CIPHER_MATCH); + SSLerror(s, SSL_R_NO_CIPHER_MATCH); return (0); } return (1); @@ -1419,19 +1419,19 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num) * RFC 5246 section 7.4.1.2 defines the interval as [2,2^16-2]. */ if (num < 2 || num > 0x10000 - 2) { - SSLerror(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); + SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return (NULL); } if ((sk = sk_SSL_CIPHER_new_null()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } CBS_init(&cbs, p, num); while (CBS_len(&cbs) > 0) { if (!CBS_get_u16(&cbs, &cipher_value)) { - SSLerror(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); + SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); goto err; } @@ -1443,7 +1443,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num) * renegotiating. */ if (s->internal->renegotiate) { - SSLerror(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); + SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); @@ -1462,7 +1462,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num) */ max_version = ssl_max_server_version(s); if (max_version == 0 || s->version < max_version) { - SSLerror(SSL_R_INAPPROPRIATE_FALLBACK); + SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); if (s->s3 != NULL) ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INAPPROPRIATE_FALLBACK); @@ -1473,7 +1473,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num) if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) { if (!sk_SSL_CIPHER_push(sk, c)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } } @@ -1783,22 +1783,22 @@ SSL_CTX_new(const SSL_METHOD *meth) SSL_CTX *ret; if (meth == NULL) { - SSLerror(SSL_R_NULL_SSL_METHOD_PASSED); + SSLerrorx(SSL_R_NULL_SSL_METHOD_PASSED); return (NULL); } if ((ret = calloc(1, sizeof(*ret))) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } if ((ret->internal = calloc(1, sizeof(*ret->internal))) == NULL) { free(ret); - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { - SSLerror(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); + SSLerrorx(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; } @@ -1857,7 +1857,7 @@ SSL_CTX_new(const SSL_METHOD *meth) &ret->internal->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { - SSLerror(SSL_R_LIBRARY_HAS_NO_CIPHERS); + SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; } @@ -1866,11 +1866,11 @@ SSL_CTX_new(const SSL_METHOD *meth) goto err; if ((ret->internal->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { - SSLerror(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); + SSLerrorx(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); goto err2; } if ((ret->internal->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { - SSLerror(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); + SSLerrorx(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); goto err2; } @@ -1925,7 +1925,7 @@ SSL_CTX_new(const SSL_METHOD *meth) return (ret); err: - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); err2: SSL_CTX_free(ret); return (NULL); @@ -2109,7 +2109,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) /* Key usage, if present, must allow signing. */ if ((x->ex_flags & EXFLAG_KUSAGE) && ((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) { - SSLerror(SSL_R_ECC_CERT_NOT_FOR_SIGNING); + SSLerror(s, SSL_R_ECC_CERT_NOT_FOR_SIGNING); return (0); } } @@ -2141,7 +2141,7 @@ ssl_get_server_send_pkey(const SSL *s) } else if (alg_a & SSL_aGOST01) { i = SSL_PKEY_GOST01; } else { /* if (alg_a & SSL_aNULL) */ - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return (NULL); } @@ -2181,7 +2181,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd) (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) idx = SSL_PKEY_ECC; if (idx == -1) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return (NULL); } if (pmd) @@ -2385,7 +2385,7 @@ SSL_do_handshake(SSL *s) int ret = 1; if (s->internal->handshake_func == NULL) { - SSLerror(SSL_R_CONNECTION_TYPE_NOT_SET); + SSLerror(s, SSL_R_CONNECTION_TYPE_NOT_SET); return (-1); } @@ -2430,21 +2430,21 @@ SSL_set_connect_state(SSL *s) int ssl_undefined_function(SSL *s) { - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } int ssl_undefined_void_function(void) { - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerrorx(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } int ssl_undefined_const_function(const SSL *s) { - SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } @@ -2679,7 +2679,7 @@ ssl_init_wbio_buffer(SSL *s, int push) (void)BIO_reset(bbio); /* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ if (!BIO_set_read_buffer_size(bbio, 1)) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(s, ERR_R_BUF_LIB); return (0); } if (push) { diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 1ce9350ba61..a64edd2c183 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.172 2017/01/26 10:40:21 beck Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.173 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1367,8 +1367,11 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, const unsigned char *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, unsigned mac_secret_length); +int SSL_state_func_code(int _state); -#define SSLerror(r) ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),__FILE__,__LINE__) +#define SSLerror(s, r) ERR_PUT_error(ERR_LIB_SSL, \ + (SSL_state_func_code(s->internal->state)),(r),__FILE__,__LINE__) +#define SSLerrorx(r) ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),__FILE__,__LINE__) __END_HIDDEN_DECLS diff --git a/lib/libssl/ssl_packet.c b/lib/libssl/ssl_packet.c index 9ffc27e9a7c..d5d59967351 100644 --- a/lib/libssl/ssl_packet.c +++ b/lib/libssl/ssl_packet.c @@ -106,11 +106,11 @@ ssl_convert_sslv2_client_hello(SSL *s) return -1; if (record_length < 9) { - SSLerror(SSL_R_RECORD_LENGTH_MISMATCH); + SSLerror(s, SSL_R_RECORD_LENGTH_MISMATCH); return -1; } if (record_length > 4096) { - SSLerror(SSL_R_RECORD_TOO_LARGE); + SSLerror(s, SSL_R_RECORD_TOO_LARGE); return -1; } @@ -149,7 +149,7 @@ ssl_convert_sslv2_client_hello(SSL *s) if (!CBS_get_bytes(&cbs, &challenge, challenge_length)) return -1; if (CBS_len(&cbs) != 0) { - SSLerror(SSL_R_RECORD_LENGTH_MISMATCH); + SSLerror(s, SSL_R_RECORD_LENGTH_MISMATCH); return -1; } @@ -234,14 +234,14 @@ ssl_server_legacy_first_packet(SSL *s) if (ssl_is_sslv2_client_hello(&header) == 1) { /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */ if (ssl_enabled_version_range(s, &min_version, NULL) != 1) { - SSLerror(SSL_R_NO_PROTOCOLS_AVAILABLE); + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return -1; } if (min_version > TLS1_VERSION) return 1; if (ssl_convert_sslv2_client_hello(s) != 1) { - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); return -1; } @@ -250,7 +250,7 @@ ssl_server_legacy_first_packet(SSL *s) /* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */ if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } data = (const char *)CBS_data(&header); @@ -260,15 +260,15 @@ ssl_server_legacy_first_packet(SSL *s) strncmp("POST ", data, 5) == 0 || strncmp("HEAD ", data, 5) == 0 || strncmp("PUT ", data, 4) == 0) { - SSLerror(SSL_R_HTTP_REQUEST); + SSLerror(s, SSL_R_HTTP_REQUEST); return -1; } if (strncmp("CONNE", data, 5) == 0) { - SSLerror(SSL_R_HTTPS_PROXY_REQUEST); + SSLerror(s, SSL_R_HTTPS_PROXY_REQUEST); return -1; } - SSLerror(SSL_R_UNKNOWN_PROTOCOL); + SSLerror(s, SSL_R_UNKNOWN_PROTOCOL); return -1; } diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c index c57eacd7700..f49cc45efd8 100644 --- a/lib/libssl/ssl_pkt.c +++ b/lib/libssl/ssl_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_pkt.c,v 1.9 2017/01/31 15:35:46 jsing Exp $ */ +/* $OpenBSD: ssl_pkt.c,v 1.10 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -224,7 +224,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) if (n > (int)(rb->len - rb->offset)) { /* does not happen */ - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } @@ -248,7 +248,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) s->internal->rwstate = SSL_READING; i = BIO_read(s->rbio, pkt + len + left, max - left); } else { - SSLerror(SSL_R_READ_BIO_NOT_SET); + SSLerror(s, SSL_R_READ_BIO_NOT_SET); i = -1; } @@ -364,7 +364,7 @@ ssl3_get_record(SSL *s) if (!CBS_get_u8(&header, &type) || !CBS_get_u16(&header, &ssl_version) || !CBS_get_u16(&header, &len)) { - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); goto err; } @@ -373,7 +373,7 @@ ssl3_get_record(SSL *s) /* Lets check version */ if (!s->internal->first_packet && ssl_version != s->version) { - SSLerror(SSL_R_WRONG_VERSION_NUMBER); + SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); if ((s->version & 0xFF00) == (ssl_version & 0xFF00) && !s->internal->enc_write_ctx && !s->internal->write_hash) /* Send back error using their minor version number :-) */ @@ -383,13 +383,13 @@ ssl3_get_record(SSL *s) } if ((ssl_version >> 8) != SSL3_VERSION_MAJOR) { - SSLerror(SSL_R_WRONG_VERSION_NUMBER); + SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); goto err; } if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) { al = SSL_AD_RECORD_OVERFLOW; - SSLerror(SSL_R_PACKET_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG); goto f_err; } @@ -424,7 +424,7 @@ ssl3_get_record(SSL *s) /* check is not needed I believe */ if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { al = SSL_AD_RECORD_OVERFLOW; - SSLerror(SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); goto f_err; } @@ -438,7 +438,7 @@ ssl3_get_record(SSL *s) * -1: if the padding is invalid */ if (enc_err == 0) { al = SSL_AD_DECRYPTION_FAILED; - SSLerror(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); + SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); goto f_err; } @@ -466,7 +466,7 @@ ssl3_get_record(SSL *s) (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && orig_len < mac_size + 1)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_LENGTH_TOO_SHORT); + SSLerror(s, SSL_R_LENGTH_TOO_SHORT); goto f_err; } @@ -506,13 +506,13 @@ ssl3_get_record(SSL *s) * (e.g. via a logfile) */ al = SSL_AD_BAD_RECORD_MAC; - SSLerror(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + SSLerror(s, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); goto f_err; } if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { al = SSL_AD_RECORD_OVERFLOW; - SSLerror(SSL_R_DATA_LENGTH_TOO_LONG); + SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); goto f_err; } @@ -538,7 +538,7 @@ ssl3_get_record(SSL *s) * empty record without forcing want_read. */ if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { - SSLerror(SSL_R_PEER_BEHAVING_BADLY); + SSLerror(s, SSL_R_PEER_BEHAVING_BADLY); return -1; } if (s->internal->empty_record_count > 1) { @@ -569,7 +569,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) int i; if (len < 0) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } @@ -582,7 +582,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) if (i < 0) return (i); if (i == 0) { - SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } } @@ -691,7 +691,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (prefix_len > (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) { /* insufficient space */ - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } } @@ -834,7 +834,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) && !(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || (S3I(s)->wpend_type != type)) { - SSLerror(SSL_R_BAD_WRITE_RETRY); + SSLerror(s, SSL_R_BAD_WRITE_RETRY); return (-1); } @@ -846,7 +846,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) (char *)&(wb->buf[wb->offset]), (unsigned int)wb->left); } else { - SSLerror(SSL_R_BIO_NOT_SET); + SSLerror(s, SSL_R_BIO_NOT_SET); i = -1; } if (i == wb->left) { @@ -911,14 +911,14 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return (-1); if (len < 0) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } if ((type && type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } @@ -953,7 +953,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (i < 0) return (i); if (i == 0) { - SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return (-1); } } @@ -995,7 +995,7 @@ start: * reset by ssl3_get_finished */ && (rr->type != SSL3_RT_HANDSHAKE)) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); + SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); goto f_err; } @@ -1015,7 +1015,7 @@ start: if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && (s->enc_read_ctx == NULL)) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_APP_DATA_IN_HANDSHAKE); + SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); goto f_err; } @@ -1097,7 +1097,7 @@ start: (S3I(s)->handshake_fragment[2] != 0) || (S3I(s)->handshake_fragment[3] != 0)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_HELLO_REQUEST); + SSLerror(s, SSL_R_BAD_HELLO_REQUEST); goto f_err; } @@ -1115,7 +1115,7 @@ start: if (i < 0) return (i); if (i == 0) { - SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return (-1); } @@ -1196,13 +1196,13 @@ start: */ else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_NO_RENEGOTIATION); + SSLerror(s, SSL_R_NO_RENEGOTIATION); goto f_err; } } else if (alert_level == SSL3_AL_FATAL) { s->internal->rwstate = SSL_NOTHING; S3I(s)->fatal_alert = alert_descr; - SSLerror(SSL_AD_REASON_OFFSET + alert_descr); + SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); ERR_asprintf_error_data("SSL alert number %d", alert_descr); s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; @@ -1210,7 +1210,7 @@ start: return (0); } else { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_UNKNOWN_ALERT_TYPE); + SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE); goto f_err; } @@ -1230,21 +1230,21 @@ start: if ((rr->length != 1) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_BAD_CHANGE_CIPHER_SPEC); + SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); goto f_err; } /* Check we have a cipher to change to */ if (S3I(s)->tmp.new_cipher == NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_CCS_RECEIVED_EARLY); + SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); goto f_err; } /* Check that we should be receiving a Change Cipher Spec. */ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_CCS_RECEIVED_EARLY); + SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); goto f_err; } s->s3->flags &= ~SSL3_FLAGS_CCS_OK; @@ -1276,7 +1276,7 @@ start: if (i < 0) return (i); if (i == 0) { - SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return (-1); } @@ -1305,7 +1305,7 @@ start: goto start; } al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_RECORD); + SSLerror(s, SSL_R_UNEXPECTED_RECORD); goto f_err; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: @@ -1314,7 +1314,7 @@ start: * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that * should not happen when type != rr->type */ al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto f_err; case SSL3_RT_APPLICATION_DATA: /* At this point, we were expecting handshake data, @@ -1336,7 +1336,7 @@ start: return (-1); } else { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_UNEXPECTED_RECORD); + SSLerror(s, SSL_R_UNEXPECTED_RECORD); goto f_err; } } @@ -1363,7 +1363,7 @@ ssl3_do_change_cipher_spec(SSL *s) if (S3I(s)->tmp.key_block == NULL) { if (s->session == NULL || s->session->master_key_length == 0) { /* might happen if dtls1_read_bytes() calls this */ - SSLerror(SSL_R_CCS_RECEIVED_EARLY); + SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); return (0); } @@ -1389,7 +1389,7 @@ ssl3_do_change_cipher_spec(SSL *s) i = tls1_final_finish_mac(s, sender, slen, S3I(s)->tmp.peer_finish_md); if (i == 0) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return 0; } S3I(s)->tmp.peer_finish_md_len = i; diff --git a/lib/libssl/ssl_rsa.c b/lib/libssl/ssl_rsa.c index facb8ac2747..e99ce1e3ae2 100644 --- a/lib/libssl/ssl_rsa.c +++ b/lib/libssl/ssl_rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_rsa.c,v 1.27 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: ssl_rsa.c,v 1.28 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -74,11 +74,11 @@ int SSL_use_certificate(SSL *ssl, X509 *x) { if (x == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); return (0); } if (!ssl_cert_inst(&ssl->cert)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(ssl, ERR_R_MALLOC_FAILURE); return (0); } return (ssl_set_cert(ssl->cert, x)); @@ -94,12 +94,12 @@ SSL_use_certificate_file(SSL *ssl, const char *file, int type) in = BIO_new(BIO_s_file_internal()); if (in == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(ssl, ERR_R_BUF_LIB); goto end; } if (BIO_read_filename(in, file) <= 0) { - SSLerror(ERR_R_SYS_LIB); + SSLerror(ssl, ERR_R_SYS_LIB); goto end; } if (type == SSL_FILETYPE_ASN1) { @@ -111,12 +111,12 @@ SSL_use_certificate_file(SSL *ssl, const char *file, int type) ssl->ctx->default_passwd_callback, ssl->ctx->default_passwd_callback_userdata); } else { - SSLerror(SSL_R_BAD_SSL_FILETYPE); + SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE); goto end; } if (x == NULL) { - SSLerror(j); + SSLerror(ssl, j); goto end; } @@ -135,7 +135,7 @@ SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) x = d2i_X509(NULL, &d,(long)len); if (x == NULL) { - SSLerror(ERR_R_ASN1_LIB); + SSLerror(ssl, ERR_R_ASN1_LIB); return (0); } @@ -151,15 +151,15 @@ SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) int ret; if (rsa == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); return (0); } if (!ssl_cert_inst(&ssl->cert)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(ssl, ERR_R_MALLOC_FAILURE); return (0); } if ((pkey = EVP_PKEY_new()) == NULL) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(ssl, ERR_R_EVP_LIB); return (0); } @@ -178,7 +178,7 @@ ssl_set_pkey(CERT *c, EVP_PKEY *pkey) i = ssl_cert_type(NULL, pkey); if (i < 0) { - SSLerror(SSL_R_UNKNOWN_CERTIFICATE_TYPE); + SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE); return (0); } @@ -222,12 +222,12 @@ SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) in = BIO_new(BIO_s_file_internal()); if (in == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(ssl, ERR_R_BUF_LIB); goto end; } if (BIO_read_filename(in, file) <= 0) { - SSLerror(ERR_R_SYS_LIB); + SSLerror(ssl, ERR_R_SYS_LIB); goto end; } if (type == SSL_FILETYPE_ASN1) { @@ -239,11 +239,11 @@ SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) ssl->ctx->default_passwd_callback, ssl->ctx->default_passwd_callback_userdata); } else { - SSLerror(SSL_R_BAD_SSL_FILETYPE); + SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE); goto end; } if (rsa == NULL) { - SSLerror(j); + SSLerror(ssl, j); goto end; } ret = SSL_use_RSAPrivateKey(ssl, rsa); @@ -262,7 +262,7 @@ SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) p = d; if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { - SSLerror(ERR_R_ASN1_LIB); + SSLerror(ssl, ERR_R_ASN1_LIB); return (0); } @@ -277,11 +277,11 @@ SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) int ret; if (pkey == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); return (0); } if (!ssl_cert_inst(&ssl->cert)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(ssl, ERR_R_MALLOC_FAILURE); return (0); } ret = ssl_set_pkey(ssl->cert, pkey); @@ -297,12 +297,12 @@ SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) in = BIO_new(BIO_s_file_internal()); if (in == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(ssl, ERR_R_BUF_LIB); goto end; } if (BIO_read_filename(in, file) <= 0) { - SSLerror(ERR_R_SYS_LIB); + SSLerror(ssl, ERR_R_SYS_LIB); goto end; } if (type == SSL_FILETYPE_PEM) { @@ -314,11 +314,11 @@ SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) j = ERR_R_ASN1_LIB; pkey = d2i_PrivateKey_bio(in, NULL); } else { - SSLerror(SSL_R_BAD_SSL_FILETYPE); + SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE); goto end; } if (pkey == NULL) { - SSLerror(j); + SSLerror(ssl, j); goto end; } ret = SSL_use_PrivateKey(ssl, pkey); @@ -337,7 +337,7 @@ SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len) p = d; if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { - SSLerror(ERR_R_ASN1_LIB); + SSLerror(ssl, ERR_R_ASN1_LIB); return (0); } @@ -350,11 +350,11 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) { if (x == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); return (0); } if (!ssl_cert_inst(&ctx->internal->cert)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (0); } return (ssl_set_cert(ctx->internal->cert, x)); @@ -368,13 +368,13 @@ ssl_set_cert(CERT *c, X509 *x) pkey = X509_get_pubkey(x); if (pkey == NULL) { - SSLerror(SSL_R_X509_LIB); + SSLerrorx(SSL_R_X509_LIB); return (0); } i = ssl_cert_type(x, pkey); if (i < 0) { - SSLerror(SSL_R_UNKNOWN_CERTIFICATE_TYPE); + SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE); EVP_PKEY_free(pkey); return (0); } @@ -427,12 +427,12 @@ SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) in = BIO_new(BIO_s_file_internal()); if (in == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerrorx(ERR_R_BUF_LIB); goto end; } if (BIO_read_filename(in, file) <= 0) { - SSLerror(ERR_R_SYS_LIB); + SSLerrorx(ERR_R_SYS_LIB); goto end; } if (type == SSL_FILETYPE_ASN1) { @@ -443,12 +443,12 @@ SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata); } else { - SSLerror(SSL_R_BAD_SSL_FILETYPE); + SSLerrorx(SSL_R_BAD_SSL_FILETYPE); goto end; } if (x == NULL) { - SSLerror(j); + SSLerrorx(j); goto end; } @@ -467,7 +467,7 @@ SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) x = d2i_X509(NULL, &d,(long)len); if (x == NULL) { - SSLerror(ERR_R_ASN1_LIB); + SSLerrorx(ERR_R_ASN1_LIB); return (0); } @@ -483,15 +483,15 @@ SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) EVP_PKEY *pkey; if (rsa == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); return (0); } if (!ssl_cert_inst(&ctx->internal->cert)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (0); } if ((pkey = EVP_PKEY_new()) == NULL) { - SSLerror(ERR_R_EVP_LIB); + SSLerrorx(ERR_R_EVP_LIB); return (0); } @@ -512,12 +512,12 @@ SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) in = BIO_new(BIO_s_file_internal()); if (in == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerrorx(ERR_R_BUF_LIB); goto end; } if (BIO_read_filename(in, file) <= 0) { - SSLerror(ERR_R_SYS_LIB); + SSLerrorx(ERR_R_SYS_LIB); goto end; } if (type == SSL_FILETYPE_ASN1) { @@ -529,11 +529,11 @@ SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) ctx->default_passwd_callback, ctx->default_passwd_callback_userdata); } else { - SSLerror(SSL_R_BAD_SSL_FILETYPE); + SSLerrorx(SSL_R_BAD_SSL_FILETYPE); goto end; } if (rsa == NULL) { - SSLerror(j); + SSLerrorx(j); goto end; } ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); @@ -552,7 +552,7 @@ SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len) p = d; if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { - SSLerror(ERR_R_ASN1_LIB); + SSLerrorx(ERR_R_ASN1_LIB); return (0); } @@ -565,11 +565,11 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { if (pkey == NULL) { - SSLerror(ERR_R_PASSED_NULL_PARAMETER); + SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); return (0); } if (!ssl_cert_inst(&ctx->internal->cert)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (0); } return (ssl_set_pkey(ctx->internal->cert, pkey)); @@ -584,12 +584,12 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) in = BIO_new(BIO_s_file_internal()); if (in == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerrorx(ERR_R_BUF_LIB); goto end; } if (BIO_read_filename(in, file) <= 0) { - SSLerror(ERR_R_SYS_LIB); + SSLerrorx(ERR_R_SYS_LIB); goto end; } if (type == SSL_FILETYPE_PEM) { @@ -601,11 +601,11 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) j = ERR_R_ASN1_LIB; pkey = d2i_PrivateKey_bio(in, NULL); } else { - SSLerror(SSL_R_BAD_SSL_FILETYPE); + SSLerrorx(SSL_R_BAD_SSL_FILETYPE); goto end; } if (pkey == NULL) { - SSLerror(j); + SSLerrorx(j); goto end; } ret = SSL_CTX_use_PrivateKey(ctx, pkey); @@ -625,7 +625,7 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, p = d; if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { - SSLerror(ERR_R_ASN1_LIB); + SSLerrorx(ERR_R_ASN1_LIB); return (0); } @@ -651,7 +651,7 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata); if (x == NULL) { - SSLerror(ERR_R_PEM_LIB); + SSLerrorx(ERR_R_PEM_LIB); goto end; } @@ -711,12 +711,12 @@ SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) in = BIO_new(BIO_s_file_internal()); if (in == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerrorx(ERR_R_BUF_LIB); goto end; } if (BIO_read_filename(in, file) <= 0) { - SSLerror(ERR_R_SYS_LIB); + SSLerrorx(ERR_R_SYS_LIB); goto end; } @@ -735,7 +735,7 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len) in = BIO_new_mem_buf(buf, len); if (in == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerrorx(ERR_R_BUF_LIB); goto end; } diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index 5477e9a168a..5d80e581962 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.69 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.70 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -200,12 +200,12 @@ SSL_SESSION_new(void) SSL_SESSION *ss; if ((ss = calloc(1, sizeof(*ss))) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } if ((ss->internal = calloc(1, sizeof(*ss->internal))) == NULL) { free(ss); - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } @@ -312,7 +312,7 @@ ssl_get_new_session(SSL *s, int session) ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; break; default: - SSLerror(SSL_R_UNSUPPORTED_SSL_VERSION); + SSLerror(s, SSL_R_UNSUPPORTED_SSL_VERSION); SSL_SESSION_free(ss); return (0); } @@ -335,7 +335,7 @@ ssl_get_new_session(SSL *s, int session) tmp = ss->session_id_length; if (!cb(s, ss->session_id, &tmp)) { /* The callback failed */ - SSLerror(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); + SSLerror(s, SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); SSL_SESSION_free(ss); return (0); } @@ -346,7 +346,7 @@ ssl_get_new_session(SSL *s, int session) */ if (!tmp || (tmp > ss->session_id_length)) { /* The callback set an illegal length */ - SSLerror(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); + SSLerror(s, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); SSL_SESSION_free(ss); return (0); } @@ -355,7 +355,7 @@ ssl_get_new_session(SSL *s, int session) /* Finally, check for a conflict. */ if (SSL_has_matching_session_id(s, ss->session_id, ss->session_id_length)) { - SSLerror(SSL_R_SSL_SESSION_ID_CONFLICT); + SSLerror(s, SSL_R_SSL_SESSION_ID_CONFLICT); SSL_SESSION_free(ss); return (0); } @@ -364,7 +364,7 @@ sess_id_done: if (s->tlsext_hostname) { ss->tlsext_hostname = strdup(s->tlsext_hostname); if (ss->tlsext_hostname == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); SSL_SESSION_free(ss); return 0; } @@ -374,7 +374,7 @@ sess_id_done: } if (s->sid_ctx_length > sizeof ss->sid_ctx) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); SSL_SESSION_free(ss); return 0; } @@ -523,7 +523,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, * applications to effectively disable the session cache by * accident without anyone noticing). */ - SSLerror(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); + SSLerror(s, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); fatal = 1; goto err; } @@ -723,7 +723,7 @@ SSL_set_session(SSL *s, SSL_SESSION *session) if (meth == NULL) meth = s->method->internal->get_ssl_method(session->ssl_version); if (meth == NULL) { - SSLerror(SSL_R_UNABLE_TO_FIND_SSL_METHOD); + SSLerror(s, SSL_R_UNABLE_TO_FIND_SSL_METHOD); return (0); } @@ -803,7 +803,7 @@ SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { - SSLerror(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); + SSLerrorx(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; } s->sid_ctx_length = sid_ctx_len; @@ -864,7 +864,7 @@ SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) s->internal->tlsext_session_ticket = malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); if (!s->internal->tlsext_session_ticket) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); return 0; } @@ -1071,11 +1071,11 @@ int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) { if (!ENGINE_init(e)) { - SSLerror(ERR_R_ENGINE_LIB); + SSLerrorx(ERR_R_ENGINE_LIB); return 0; } if (!ENGINE_get_ssl_client_cert_function(e)) { - SSLerror(SSL_R_NO_CLIENT_CERT_METHOD); + SSLerrorx(SSL_R_NO_CLIENT_CERT_METHOD); ENGINE_finish(e); return 0; } diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index 217ecafeec1..bb43ec74e22 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.5 2017/01/26 12:28:00 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.6 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -189,7 +189,7 @@ ssl3_accept(SSL *s) SSL_clear(s); if (s->cert == NULL) { - SSLerror(SSL_R_NO_CERTIFICATE_SET); + SSLerror(s, SSL_R_NO_CERTIFICATE_SET); ret = -1; goto end; } @@ -212,7 +212,7 @@ ssl3_accept(SSL *s) cb(s, SSL_CB_HANDSHAKE_START, 1); if ((s->version >> 8) != 3) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); ret = -1; goto end; } @@ -253,7 +253,7 @@ ssl3_accept(SSL *s) * client that doesn't support secure * renegotiation. */ - SSLerror(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); ret = -1; @@ -483,7 +483,7 @@ ssl3_accept(SSL *s) * at this point and digest cached records. */ if (!S3I(s)->handshake_buffer) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); ret = -1; goto end; } @@ -671,7 +671,7 @@ ssl3_accept(SSL *s) /* break; */ default: - SSLerror(SSL_R_UNKNOWN_STATE); + SSLerror(s, SSL_R_UNKNOWN_STATE); ret = -1; goto end; /* break; */ @@ -770,7 +770,7 @@ ssl3_get_client_hello(SSL *s) goto truncated; if (ssl_max_shared_version(s, client_version, &shared_version) != 1) { - SSLerror(SSL_R_WRONG_VERSION_NUMBER); + SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && !s->internal->enc_write_ctx && !s->internal->write_hash) { /* @@ -788,7 +788,7 @@ ssl3_get_client_hello(SSL *s) if ((method = tls1_get_server_method(shared_version)) == NULL) method = dtls1_get_server_method(shared_version); if (method == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } s->method = method; @@ -861,7 +861,7 @@ ssl3_get_client_hello(SSL *s) */ if (CBS_len(&cookie) > sizeof(D1I(s)->rcvd_cookie)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_COOKIE_MISMATCH); + SSLerror(s, SSL_R_COOKIE_MISMATCH); goto f_err; } @@ -879,7 +879,7 @@ ssl3_get_client_hello(SSL *s) if (s->ctx->internal->app_verify_cookie_cb(s, D1I(s)->rcvd_cookie, cookie_len) == 0) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_COOKIE_MISMATCH); + SSLerror(s, SSL_R_COOKIE_MISMATCH); goto f_err; } /* else cookie verification succeeded */ @@ -888,7 +888,7 @@ ssl3_get_client_hello(SSL *s) D1I(s)->cookie, D1I(s)->cookie_len) != 0) { /* default verification */ al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_COOKIE_MISMATCH); + SSLerror(s, SSL_R_COOKIE_MISMATCH); goto f_err; } ret = 2; @@ -902,7 +902,7 @@ ssl3_get_client_hello(SSL *s) if (CBS_len(&cipher_suites) == 0 && CBS_len(&session_id) != 0) { /* we need a cipher if we are not resuming a session */ al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_NO_CIPHERS_SPECIFIED); + SSLerror(s, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; } @@ -930,7 +930,7 @@ ssl3_get_client_hello(SSL *s) * list if we are asked to reuse it */ al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_REQUIRED_CIPHER_MISSING); + SSLerror(s, SSL_R_REQUIRED_CIPHER_MISSING); goto f_err; } } @@ -947,7 +947,7 @@ ssl3_get_client_hello(SSL *s) } if (comp_null == 0) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_NO_COMPRESSION_SPECIFIED); + SSLerror(s, SSL_R_NO_COMPRESSION_SPECIFIED); goto f_err; } @@ -956,11 +956,11 @@ ssl3_get_client_hello(SSL *s) /* TLS extensions*/ if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) { /* 'al' set by ssl_parse_clienthello_tlsext */ - SSLerror(SSL_R_PARSE_TLSEXT); + SSLerror(s, SSL_R_PARSE_TLSEXT); goto f_err; } if (ssl_check_clienthello_tlsext_early(s) <= 0) { - SSLerror(SSL_R_CLIENTHELLO_TLSEXT); + SSLerror(s, SSL_R_CLIENTHELLO_TLSEXT); goto err; } @@ -991,7 +991,7 @@ ssl3_get_client_hello(SSL *s) SSL_get_ciphers(s)); if (pref_cipher == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_NO_SHARED_CIPHER); + SSLerror(s, SSL_R_NO_SHARED_CIPHER); goto f_err; } @@ -1016,7 +1016,7 @@ ssl3_get_client_hello(SSL *s) s->session->ciphers = ciphers; if (ciphers == NULL) { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(SSL_R_NO_CIPHERS_PASSED); + SSLerror(s, SSL_R_NO_CIPHERS_PASSED); goto f_err; } ciphers = NULL; @@ -1025,7 +1025,7 @@ ssl3_get_client_hello(SSL *s) if (c == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_NO_SHARED_CIPHER); + SSLerror(s, SSL_R_NO_SHARED_CIPHER); goto f_err; } S3I(s)->tmp.new_cipher = c; @@ -1056,7 +1056,7 @@ ssl3_get_client_hello(SSL *s) /* Handles TLS extensions that we couldn't check earlier */ if (ssl_check_clienthello_tlsext_late(s) <= 0) { - SSLerror(SSL_R_CLIENTHELLO_TLSEXT); + SSLerror(s, SSL_R_CLIENTHELLO_TLSEXT); goto err; } @@ -1065,7 +1065,7 @@ ssl3_get_client_hello(SSL *s) if (0) { truncated: al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } @@ -1124,7 +1124,7 @@ ssl3_send_server_hello(SSL *s) sl = s->session->session_id_length; if (sl > (int)sizeof(s->session->session_id)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -1147,7 +1147,7 @@ ssl3_send_server_hello(SSL *s) if ((p = ssl_add_serverhello_tlsext(s, p + outlen, bufend)) == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -1188,7 +1188,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) if (s->cert->dh_tmp_auto != 0) { if ((dhp = ssl_get_auto_dh(s)) == NULL) { al = SSL_AD_INTERNAL_ERROR; - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto f_err; } } else @@ -1200,24 +1200,24 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) if (dhp == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_MISSING_TMP_DH_KEY); + SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); goto f_err; } if (S3I(s)->tmp.dh != NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } if (s->cert->dh_tmp_auto != 0) { dh = dhp; } else if ((dh = DHparams_dup(dhp)) == NULL) { - SSLerror(ERR_R_DH_LIB); + SSLerror(s, ERR_R_DH_LIB); goto err; } S3I(s)->tmp.dh = dh; if (!DH_generate_key(dh)) { - SSLerror(ERR_R_DH_LIB); + SSLerror(s, ERR_R_DH_LIB); goto err; } @@ -1276,12 +1276,12 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) } if (ecdhp == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_MISSING_TMP_ECDH_KEY); + SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY); goto f_err; } if (S3I(s)->tmp.ecdh != NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -1289,7 +1289,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) if (s->cert->ecdh_tmp_auto != 0) { ecdh = ecdhp; } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } S3I(s)->tmp.ecdh = ecdh; @@ -1298,7 +1298,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) (EC_KEY_get0_private_key(ecdh) == NULL) || (s->internal->options & SSL_OP_SINGLE_ECDH_USE)) { if (!EC_KEY_generate_key(ecdh)) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } } @@ -1306,7 +1306,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) if (((group = EC_KEY_get0_group(ecdh)) == NULL) || (EC_KEY_get0_public_key(ecdh) == NULL) || (EC_KEY_get0_private_key(ecdh) == NULL)) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } @@ -1316,7 +1316,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) */ if ((curve_id = tls1_ec_nid2curve_id( EC_GROUP_get_curve_name(group))) == 0) { - SSLerror(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); + SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); goto err; } @@ -1331,7 +1331,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) bn_ctx = BN_CTX_new(); if ((encodedPoint == NULL) || (bn_ctx == NULL)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -1339,7 +1339,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) POINT_CONVERSION_UNCOMPRESSED, encodedPoint, encodedlen, bn_ctx); if (encodedlen == 0) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } @@ -1391,7 +1391,7 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb) /* Generate an X25519 key pair. */ if (S3I(s)->tmp.x25519 != NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } if ((S3I(s)->tmp.x25519 = malloc(X25519_KEY_LENGTH)) == NULL) @@ -1402,7 +1402,7 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb) /* Serialize public key. */ if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) { - SSLerror(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); + SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); goto err; } @@ -1477,7 +1477,7 @@ ssl3_send_server_key_exchange(SSL *s) goto err; } else { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); + SSLerror(s, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); goto f_err; } @@ -1498,7 +1498,7 @@ ssl3_send_server_key_exchange(SSL *s) if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) + params_len + kn)) { - SSLerror(ERR_LIB_BUF); + SSLerror(s, ERR_LIB_BUF); goto err; } @@ -1541,7 +1541,7 @@ ssl3_send_server_key_exchange(SSL *s) } if (RSA_sign(NID_md5_sha1, md_buf, j, &(p[2]), &u, pkey->pkey.rsa) <= 0) { - SSLerror(ERR_R_RSA_LIB); + SSLerror(s, ERR_R_RSA_LIB); goto err; } s2n(u, p); @@ -1552,7 +1552,7 @@ ssl3_send_server_key_exchange(SSL *s) if (!tls12_get_sigandhash(p, pkey, md)) { /* Should never happen */ al = SSL_AD_INTERNAL_ERROR; - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto f_err; } p += 2; @@ -1567,7 +1567,7 @@ ssl3_send_server_key_exchange(SSL *s) EVP_SignUpdate(&md_ctx, d, n); if (!EVP_SignFinal(&md_ctx, &p[2], (unsigned int *)&i, pkey)) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); goto err; } s2n(i, p); @@ -1577,7 +1577,7 @@ ssl3_send_server_key_exchange(SSL *s) } else { /* Is this error check actually needed? */ al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_UNKNOWN_PKEY_TYPE); + SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); goto f_err; } } @@ -1643,7 +1643,7 @@ ssl3_send_certificate_request(SSL *s) if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) + n + j + 2)) { - SSLerror(ERR_R_BUF_LIB); + SSLerror(s, ERR_R_BUF_LIB); goto err; } p = ssl3_handshake_msg_start(s, @@ -1689,7 +1689,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n) if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_MISSING_RSA_CERTIFICATE); + SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE); goto f_err; } rsa = pkey->pkey.rsa; @@ -1698,7 +1698,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n) goto truncated; n2s(p, i); if (n != i + 2) { - SSLerror(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); + SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); goto err; } else n = i; @@ -1711,7 +1711,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n) if (i != SSL_MAX_MASTER_KEY_LENGTH) { al = SSL_AD_DECODE_ERROR; - /* SSLerror(SSL_R_BAD_RSA_DECRYPT); */ + /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */ } if (p - d + 2 > n) /* needed in the SSL3 case */ @@ -1733,7 +1733,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n) (p[0] == (s->version >> 8)) && (p[1] == (s->version & 0xff)))) { al = SSL_AD_DECODE_ERROR; - /* SSLerror(SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ + /* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ /* * The Klima-Pokorny-Rosa extension of @@ -1771,7 +1771,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n) return (1); truncated: al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: @@ -1799,19 +1799,19 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n) if (S3I(s)->tmp.dh == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_MISSING_TMP_DH_KEY); + SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); goto f_err; } dh = S3I(s)->tmp.dh; if ((bn = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL)) == NULL) { - SSLerror(SSL_R_BN_LIB); + SSLerror(s, SSL_R_BN_LIB); goto err; } key_size = DH_compute_key(p, bn, dh); if (key_size <= 0) { - SSLerror(ERR_R_DH_LIB); + SSLerror(s, ERR_R_DH_LIB); BN_clear_free(bn); goto err; } @@ -1831,7 +1831,7 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n) truncated: al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: @@ -1855,7 +1855,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n) /* Initialize structures for server's ECDH key pair. */ if ((srvr_ecdh = EC_KEY_new()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -1870,13 +1870,13 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n) if (!EC_KEY_set_group(srvr_ecdh, group) || !EC_KEY_set_private_key(srvr_ecdh, priv_key)) { - SSLerror(ERR_R_EC_LIB); + SSLerror(s, ERR_R_EC_LIB); goto err; } /* Let's get client's public key */ if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -1898,14 +1898,14 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n) * group. */ al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); + SSLerror(s, SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); goto f_err; } if (EC_POINT_copy(clnt_ecpoint, EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) { - SSLerror(ERR_R_EC_LIB); + SSLerror(s, ERR_R_EC_LIB); goto err; } ret = 2; /* Skip certificate verify processing */ @@ -1915,7 +1915,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n) * in the ClientKeyExchange message. */ if ((bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -1924,12 +1924,12 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n) p += 1; if (n != 1 + i) { - SSLerror(ERR_R_EC_LIB); + SSLerror(s, ERR_R_EC_LIB); goto err; } if (EC_POINT_oct2point(group, clnt_ecpoint, p, i, bn_ctx) == 0) { - SSLerror(ERR_R_EC_LIB); + SSLerror(s, ERR_R_EC_LIB); goto err; } /* @@ -1942,13 +1942,13 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n) /* Compute the shared pre-master secret */ key_size = ECDH_size(srvr_ecdh); if (key_size <= 0) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } i = ECDH_compute_key(p, key_size, clnt_ecpoint, srvr_ecdh, NULL); if (i <= 0) { - SSLerror(ERR_R_ECDH_LIB); + SSLerror(s, ERR_R_ECDH_LIB); goto err; } @@ -2065,14 +2065,14 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n) if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag, &Tclass, n) != V_ASN1_CONSTRUCTED || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) { - SSLerror(SSL_R_DECRYPTION_FAILED); + SSLerror(s, SSL_R_DECRYPTION_FAILED); goto gerr; } start = p; inlen = Tlen; if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <=0) { - SSLerror(SSL_R_DECRYPTION_FAILED); + SSLerror(s, SSL_R_DECRYPTION_FAILED); goto gerr; } /* Generate master secret */ @@ -2095,7 +2095,7 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n) truncated: al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (-1); @@ -2133,7 +2133,7 @@ ssl3_get_client_key_exchange(SSL *s) goto err; } else { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_UNKNOWN_CIPHER_TYPE); + SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE); goto f_err; } @@ -2176,7 +2176,7 @@ ssl3_get_cert_verify(SSL *s) S3I(s)->tmp.reuse_message = 1; if (peer != NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_MISSING_VERIFY_MESSAGE); + SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE); goto f_err; } ret = 1; @@ -2184,19 +2184,19 @@ ssl3_get_cert_verify(SSL *s) } if (peer == NULL) { - SSLerror(SSL_R_NO_CLIENT_CERT_RECEIVED); + SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED); al = SSL_AD_UNEXPECTED_MESSAGE; goto f_err; } if (!(type & EVP_PKT_SIGN)) { - SSLerror(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); + SSLerror(s, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); al = SSL_AD_ILLEGAL_PARAMETER; goto f_err; } if (S3I(s)->change_cipher_spec) { - SSLerror(SSL_R_CCS_RECEIVED_EARLY); + SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); al = SSL_AD_UNEXPECTED_MESSAGE; goto f_err; } @@ -2217,7 +2217,7 @@ ssl3_get_cert_verify(SSL *s) int sigalg = tls12_get_sigid(pkey); /* Should never happen */ if (sigalg == -1) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; goto f_err; } @@ -2225,13 +2225,13 @@ ssl3_get_cert_verify(SSL *s) goto truncated; /* Check key type is consistent with signature */ if (sigalg != (int)p[1]) { - SSLerror(SSL_R_WRONG_SIGNATURE_TYPE); + SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); al = SSL_AD_DECODE_ERROR; goto f_err; } md = tls12_get_hash(p[0]); if (md == NULL) { - SSLerror(SSL_R_UNKNOWN_DIGEST); + SSLerror(s, SSL_R_UNKNOWN_DIGEST); al = SSL_AD_DECODE_ERROR; goto f_err; } @@ -2247,7 +2247,7 @@ ssl3_get_cert_verify(SSL *s) } j = EVP_PKEY_size(pkey); if ((i > j) || (n > j) || (n <= 0)) { - SSLerror(SSL_R_WRONG_SIGNATURE_SIZE); + SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE); al = SSL_AD_DECODE_ERROR; goto f_err; } @@ -2257,20 +2257,20 @@ ssl3_get_cert_verify(SSL *s) void *hdata; hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); if (hdatalen <= 0) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; goto f_err; } if (!EVP_VerifyInit_ex(&mctx, md, NULL) || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; goto f_err; } if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) { al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_BAD_SIGNATURE); + SSLerror(s, SSL_R_BAD_SIGNATURE); goto f_err; } } else @@ -2280,12 +2280,12 @@ ssl3_get_cert_verify(SSL *s) pkey->pkey.rsa); if (i < 0) { al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_BAD_RSA_DECRYPT); + SSLerror(s, SSL_R_BAD_RSA_DECRYPT); goto f_err; } if (i == 0) { al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_BAD_RSA_SIGNATURE); + SSLerror(s, SSL_R_BAD_RSA_SIGNATURE); goto f_err; } } else @@ -2296,7 +2296,7 @@ ssl3_get_cert_verify(SSL *s) if (j <= 0) { /* bad signature */ al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_BAD_DSA_SIGNATURE); + SSLerror(s, SSL_R_BAD_DSA_SIGNATURE); goto f_err; } } else @@ -2307,7 +2307,7 @@ ssl3_get_cert_verify(SSL *s) if (j <= 0) { /* bad signature */ al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_BAD_ECDSA_SIGNATURE); + SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); goto f_err; } } else @@ -2323,19 +2323,19 @@ ssl3_get_cert_verify(SSL *s) hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); if (hdatalen <= 0) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; goto f_err; } if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || !(md = EVP_get_digestbynid(nid))) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; goto f_err; } pctx = EVP_PKEY_CTX_new(pkey, NULL); if (!pctx) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; goto f_err; } @@ -2348,7 +2348,7 @@ ssl3_get_cert_verify(SSL *s) EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; EVP_PKEY_CTX_free(pctx); goto f_err; @@ -2356,7 +2356,7 @@ ssl3_get_cert_verify(SSL *s) if (EVP_PKEY_verify(pctx, p, i, signature, siglen) <= 0) { al = SSL_AD_DECRYPT_ERROR; - SSLerror(SSL_R_BAD_SIGNATURE); + SSLerror(s, SSL_R_BAD_SIGNATURE); EVP_PKEY_CTX_free(pctx); goto f_err; } @@ -2365,7 +2365,7 @@ ssl3_get_cert_verify(SSL *s) } else #endif { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_UNSUPPORTED_CERTIFICATE; goto f_err; } @@ -2375,7 +2375,7 @@ ssl3_get_cert_verify(SSL *s) if (0) { truncated: al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } @@ -2409,7 +2409,7 @@ ssl3_get_client_certificate(SSL *s) if (S3I(s)->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { - SSLerror(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); al = SSL_AD_HANDSHAKE_FAILURE; goto f_err; } @@ -2418,7 +2418,7 @@ ssl3_get_client_certificate(SSL *s) * the client must return a 0 list. */ if (S3I(s)->tmp.cert_request) { - SSLerror(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST + SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST ); al = SSL_AD_UNEXPECTED_MESSAGE; goto f_err; @@ -2429,7 +2429,7 @@ ssl3_get_client_certificate(SSL *s) if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(SSL_R_WRONG_MESSAGE_TYPE); + SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); goto f_err; } @@ -2439,7 +2439,7 @@ ssl3_get_client_certificate(SSL *s) CBS_init(&cbs, s->internal->init_msg, n); if ((sk = sk_X509_new_null()) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -2452,23 +2452,23 @@ ssl3_get_client_certificate(SSL *s) if (!CBS_get_u24_length_prefixed(&client_certs, &cert)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_CERT_LENGTH_MISMATCH); + SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } q = CBS_data(&cert); x = d2i_X509(NULL, &q, CBS_len(&cert)); if (x == NULL) { - SSLerror(ERR_R_ASN1_LIB); + SSLerror(s, ERR_R_ASN1_LIB); goto err; } if (q != CBS_data(&cert) + CBS_len(&cert)) { al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_CERT_LENGTH_MISMATCH); + SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } if (!sk_X509_push(sk, x)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } x = NULL; @@ -2481,7 +2481,7 @@ ssl3_get_client_certificate(SSL *s) */ if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { - SSLerror(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); al = SSL_AD_HANDSHAKE_FAILURE; goto f_err; } @@ -2494,7 +2494,7 @@ ssl3_get_client_certificate(SSL *s) i = ssl_verify_cert_chain(s, sk); if (i <= 0) { al = ssl_verify_alarm_type(s->verify_result); - SSLerror(SSL_R_NO_CERTIFICATE_RETURNED); + SSLerror(s, SSL_R_NO_CERTIFICATE_RETURNED); goto f_err; } } @@ -2510,7 +2510,7 @@ ssl3_get_client_certificate(SSL *s) if (SSI(s)->sess_cert == NULL) { SSI(s)->sess_cert = ssl_sess_cert_new(); if (SSI(s)->sess_cert == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } } @@ -2528,7 +2528,7 @@ ssl3_get_client_certificate(SSL *s) if (0) { truncated: al = SSL_AD_DECODE_ERROR; - SSLerror(SSL_R_BAD_PACKET_LENGTH); + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } @@ -2553,7 +2553,7 @@ ssl3_send_server_certificate(SSL *s) if (s->internal->state == SSL3_ST_SW_CERT_A) { if ((x = ssl_get_server_send_cert(s)) == NULL) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return (0); } @@ -2771,7 +2771,7 @@ ssl3_get_next_proto(SSL *s) * extension in their ClientHello */ if (!S3I(s)->next_proto_neg_seen) { - SSLerror(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); + SSLerror(s, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); return (-1); } @@ -2787,7 +2787,7 @@ ssl3_get_next_proto(SSL *s) * by ssl3_get_finished). */ if (!S3I(s)->change_cipher_spec) { - SSLerror(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); + SSLerror(s, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); return (-1); } @@ -2817,7 +2817,7 @@ ssl3_get_next_proto(SSL *s) s->internal->next_proto_negotiated_len = 0; if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); return (0); } s->internal->next_proto_negotiated_len = (uint8_t)len; diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c index f654d0b3a11..81ac493e6c1 100644 --- a/lib/libssl/ssl_txt.c +++ b/lib/libssl/ssl_txt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_txt.c,v 1.27 2017/01/26 10:40:21 beck Exp $ */ +/* $OpenBSD: ssl_txt.c,v 1.28 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -95,7 +95,7 @@ SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) int ret; if ((b = BIO_new(BIO_s_file_internal())) == NULL) { - SSLerror(ERR_R_BUF_LIB); + SSLerrorx(ERR_R_BUF_LIB); return (0); } BIO_set_fp(b, fp, BIO_NOCLOSE); diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index 2ee521b0730..85d28298bfc 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.95 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.96 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -203,7 +203,7 @@ tls1_finish_mac(SSL *s, const unsigned char *buf, int len) if (S3I(s)->handshake_dgst[i] == NULL) continue; if (!EVP_DigestUpdate(S3I(s)->handshake_dgst[i], buf, len)) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); return 0; } } @@ -223,12 +223,12 @@ tls1_digest_cached_records(SSL *s) S3I(s)->handshake_dgst = calloc(SSL_MAX_DIGEST, sizeof(EVP_MD_CTX *)); if (S3I(s)->handshake_dgst == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); if (hdatalen <= 0) { - SSLerror(SSL_R_BAD_HANDSHAKE_LENGTH); + SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH); goto err; } @@ -239,16 +239,16 @@ tls1_digest_cached_records(SSL *s) S3I(s)->handshake_dgst[i] = EVP_MD_CTX_create(); if (S3I(s)->handshake_dgst[i] == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } if (!EVP_DigestInit_ex(S3I(s)->handshake_dgst[i], md, NULL)) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); goto err; } if (!EVP_DigestUpdate(S3I(s)->handshake_dgst[i], hdata, hdatalen)) { - SSLerror(ERR_R_EVP_LIB); + SSLerror(s, ERR_R_EVP_LIB); goto err; } } @@ -383,7 +383,7 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, count++; } if (count == 0) { - SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerrorx(SSL_R_SSL_HANDSHAKE_FAILURE); goto err; } len = slen / count; @@ -394,7 +394,7 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) { if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) { if (!md) { - SSLerror(SSL_R_UNSUPPORTED_DIGEST_TYPE); + SSLerrorx(SSL_R_UNSUPPORTED_DIGEST_TYPE); goto err; } if (!tls1_P_hash(md , S1, len + (slen&1), seed1, @@ -442,7 +442,7 @@ tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) *aead_ctx = malloc(sizeof(SSL_AEAD_CTX)); if (*aead_ctx == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (0); } @@ -470,7 +470,7 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) return (0); if (iv_len > sizeof(aead_ctx->fixed_nonce)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerrorx(ERR_R_INTERNAL_ERROR); return (0); } memcpy(aead_ctx->fixed_nonce, iv, iv_len); @@ -486,13 +486,13 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, if (aead_ctx->xor_fixed_nonce) { if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) || aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerrorx(ERR_R_INTERNAL_ERROR); return (0); } } else { if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerrorx(ERR_R_INTERNAL_ERROR); return (0); } } @@ -603,7 +603,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, return (1); err: - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerrorx(ERR_R_MALLOC_FAILURE); return (0); } @@ -688,7 +688,7 @@ tls1_change_cipher_state(SSL *s, int which) } if (key_block - S3I(s)->tmp.key_block != S3I(s)->tmp.key_block_length) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err2; } @@ -729,7 +729,7 @@ tls1_setup_key_block(SSL *s) if (s->session->cipher && (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) { if (!ssl_cipher_get_evp_aead(s->session, &aead)) { - SSLerror(SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } key_len = EVP_AEAD_key_length(aead); @@ -737,7 +737,7 @@ tls1_setup_key_block(SSL *s) } else { if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, &mac_secret_size)) { - SSLerror(SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } key_len = EVP_CIPHER_key_length(cipher); @@ -758,7 +758,7 @@ tls1_setup_key_block(SSL *s) if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len, 2)) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } key_block_len = (mac_secret_size + key_len + iv_len) * 2; @@ -767,7 +767,7 @@ tls1_setup_key_block(SSL *s) S3I(s)->tmp.key_block = key_block; if ((tmp_block = malloc(key_block_len)) == NULL) { - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } @@ -1105,7 +1105,7 @@ tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) } } if (d == NULL) { - SSLerror(SSL_R_NO_REQUIRED_DIGEST); + SSLerror(s, SSL_R_NO_REQUIRED_DIGEST); return 0; } @@ -1336,11 +1336,11 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, goto ret; err1: - SSLerror(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); + SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); rv = 0; goto ret; err2: - SSLerror(ERR_R_MALLOC_FAILURE); + SSLerror(s, ERR_R_MALLOC_FAILURE); rv = 0; ret: free(buff); diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 2e9d31112db..a42e414dec8 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.114 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.115 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -742,7 +742,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) int el; if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return NULL; } @@ -753,7 +753,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) s2n(el, ret); if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return NULL; } @@ -778,7 +778,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) if (formatslen > lenmax) return NULL; if (formatslen > 255) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return NULL; } @@ -800,7 +800,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) if (curveslen * 2 > lenmax) return NULL; if (curveslen * 2 > 65532) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return NULL; } @@ -942,7 +942,7 @@ skip_ext: s2n(el, ret); if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return NULL; } ret += el; @@ -1020,7 +1020,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) int el; if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return NULL; } @@ -1031,7 +1031,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) s2n(el, ret); if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return NULL; } @@ -1054,7 +1054,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) if (formatslen > lenmax) return NULL; if (formatslen > 255) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return NULL; } @@ -1100,7 +1100,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) s2n(el, ret); if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { - SSLerror(ERR_R_INTERNAL_ERROR); + SSLerror(s, ERR_R_INTERNAL_ERROR); return NULL; } ret += el; @@ -1618,7 +1618,7 @@ ri_check: if (!renegotiate_seen && s->internal->renegotiate) { *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; } @@ -1870,7 +1870,7 @@ ri_check: if (!renegotiate_seen && !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; } @@ -2005,7 +2005,7 @@ ssl_check_serverhello_tlsext(SSL *s) } } if (!found_uncompressed) { - SSLerror(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); + SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); return -1; } } diff --git a/lib/libssl/t1_reneg.c b/lib/libssl/t1_reneg.c index 596b96edd3e..4e194dd5dfe 100644 --- a/lib/libssl/t1_reneg.c +++ b/lib/libssl/t1_reneg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_reneg.c,v 1.14 2017/01/26 12:16:13 beck Exp $ */ +/* $OpenBSD: t1_reneg.c,v 1.15 2017/02/07 02:08:38 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -123,7 +123,7 @@ ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, { if (p) { if ((S3I(s)->previous_client_finished_len + 1) > maxlen) { - SSLerror(SSL_R_RENEGOTIATE_EXT_TOO_LONG); + SSLerror(s, SSL_R_RENEGOTIATE_EXT_TOO_LONG); return 0; } @@ -150,7 +150,7 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len, CBS cbs, reneg; if (len < 0) { - SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR); + SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); *al = SSL_AD_ILLEGAL_PARAMETER; return 0; } @@ -159,21 +159,21 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len, if (!CBS_get_u8_length_prefixed(&cbs, &reneg) || /* Consistency check */ CBS_len(&cbs) != 0) { - SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR); + SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); *al = SSL_AD_ILLEGAL_PARAMETER; return 0; } /* Check that the extension matches */ if (CBS_len(&reneg) != S3I(s)->previous_client_finished_len) { - SSLerror(SSL_R_RENEGOTIATION_MISMATCH); + SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, S3I(s)->previous_client_finished_len)) { - SSLerror(SSL_R_RENEGOTIATION_MISMATCH); + SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } @@ -191,7 +191,7 @@ ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, if (p) { if ((S3I(s)->previous_client_finished_len + S3I(s)->previous_server_finished_len + 1) > maxlen) { - SSLerror(SSL_R_RENEGOTIATE_EXT_TOO_LONG); + SSLerror(s, SSL_R_RENEGOTIATE_EXT_TOO_LONG); return 0; } @@ -229,7 +229,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i OPENSSL_assert(!expected_len || S3I(s)->previous_server_finished_len); if (len < 0) { - SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR); + SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); *al = SSL_AD_ILLEGAL_PARAMETER; return 0; } @@ -239,7 +239,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i if (!CBS_get_u8_length_prefixed(&cbs, &reneg) || /* Consistency check */ CBS_len(&cbs) != 0) { - SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR); + SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); *al = SSL_AD_ILLEGAL_PARAMETER; return 0; } @@ -251,20 +251,20 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i !CBS_get_bytes(&reneg, &previous_server, S3I(s)->previous_server_finished_len) || CBS_len(&reneg) != 0) { - SSLerror(SSL_R_RENEGOTIATION_MISMATCH); + SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } if (!CBS_mem_equal(&previous_client, S3I(s)->previous_client_finished, CBS_len(&previous_client))) { - SSLerror(SSL_R_RENEGOTIATION_MISMATCH); + SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } if (!CBS_mem_equal(&previous_server, S3I(s)->previous_server_finished, CBS_len(&previous_server))) { - SSLerror(SSL_R_RENEGOTIATION_MISMATCH); + SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_ILLEGAL_PARAMETER; return 0; } |