src - OpenBSD base system

diff options


context:
space:
mode:

author	Joel Sing <jsing@cvs.openbsd.org>	2018-11-08 20:55:19 +0000
committer	Joel Sing <jsing@cvs.openbsd.org>	2018-11-08 20:55:19 +0000
commit	cbee9e4612c9f63f8f81bcf1e7f1bfd9177a0b4a (patch)
tree	9e17f40da60d470bafb8be03b9124f3a485a3bfb /lib
parent	10dfbac13bc3c0aa0fc8926a69dba4aff8b8cf08 (diff)

Stop pretending that a cert member in a SSL and SSL_CTX can be NULL.

ok beck@ tb@

Diffstat (limited to 'lib')

-rw-r--r--

lib/libssl/s3_lib.c

-rw-r--r--

lib/libssl/ssl_cert.c

-rw-r--r--

lib/libssl/ssl_clnt.c

-rw-r--r--

lib/libssl/ssl_lib.c

-rw-r--r--

lib/libssl/ssl_locl.h

-rw-r--r--

lib/libssl/ssl_rsa.c

-rw-r--r--

lib/libssl/ssl_srvr.c

-rw-r--r--

lib/libssl/t1_lib.c

8 files changed, 18 insertions, 121 deletions

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 6ca08774b0c..356f43a356a 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: s3_lib.c,v 1.174 2018/11/07 01:53:36 jsing Exp $ */

+/* $OpenBSD: s3_lib.c,v 1.175 2018/11/08 20:55:18 jsing Exp $ */

@@ -1728,11 +1728,6 @@ _SSL_set_tmp_dh(SSL *s, DH *dh)

{

DH *dh_tmp;

- if (!ssl_cert_inst(&s->cert)) {

- SSLerror(s, ERR_R_MALLOC_FAILURE);

- return 0;

- }

if (dh == NULL) {

SSLerror(s, ERR_R_PASSED_NULL_PARAMETER);

return 0;

@@ -1762,11 +1757,6 @@ _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh)

const EC_GROUP *group;

int nid;

- if (!ssl_cert_inst(&s->cert)) {

- SSLerror(s, ERR_R_MALLOC_FAILURE);

- return 0;

- }

if (ecdh == NULL)

return 0;

if ((group = EC_KEY_get0_group(ecdh)) == NULL)

@@ -1994,13 +1984,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)

long

ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))

{

- if (cmd == SSL_CTRL_SET_TMP_DH_CB || cmd == SSL_CTRL_SET_TMP_ECDH_CB) {

- if (!ssl_cert_inst(&s->cert)) {

- SSLerror(s, ERR_R_MALLOC_FAILURE);

- return 0;

- }

switch (cmd) {

case SSL_CTRL_SET_TMP_RSA_CB:

SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c
index 567d8ea21ff..bfd915d7dfe 100644
--- a/lib/libssl/ssl_cert.c
+++ b/lib/libssl/ssl_cert.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_cert.c,v 1.68 2018/11/05 03:49:44 jsing Exp $ */

+/* $OpenBSD: ssl_cert.c,v 1.69 2018/11/08 20:55:18 jsing Exp $ */

@@ -321,34 +321,6 @@ ssl_cert_free(CERT *c)

free(c);

}

-int

-ssl_cert_inst(CERT **o)

- /*

- * Create a CERT if there isn't already one

- * (which cannot really happen, as it is initially created in

- * SSL_CTX_new; but the earlier code usually allows for that one

- * being non-existant, so we follow that behaviour, as it might

- * turn out that there actually is a reason for it -- but I'm

- * not sure that *all* of the existing code could cope with

- * s->cert being NULL, otherwise we could do without the

- * initialization in SSL_CTX_new).

- */

- if (o == NULL) {

- SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);

- return (0);

- }

- if (*o == NULL) {

- if ((*o = ssl_cert_new()) == NULL) {

- SSLerrorx(ERR_R_MALLOC_FAILURE);

- return (0);

- }

- return (1);

SESS_CERT *

ssl_sess_cert_new(void)

{

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 8c3ec800609..22e41da953c 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_clnt.c,v 1.35 2018/11/08 20:26:45 jsing Exp $ */

+/* $OpenBSD: ssl_clnt.c,v 1.36 2018/11/08 20:55:18 jsing Exp $ */

@@ -2527,8 +2527,8 @@ ssl3_send_client_certificate(SSL *s)

memset(&cbb, 0, sizeof(cbb));

if (S3I(s)->hs.state == SSL3_ST_CW_CERT_A) {

- if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||

- (s->cert->key->privatekey == NULL))

+ if (s->cert->key->x509 == NULL ||

+ s->cert->key->privatekey == NULL)

S3I(s)->hs.state = SSL3_ST_CW_CERT_B;

else

S3I(s)->hs.state = SSL3_ST_CW_CERT_C;

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 3c4d1169194..6b4c7e72a10 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_lib.c,v 1.190 2018/11/07 01:53:36 jsing Exp $ */

+/* $OpenBSD: ssl_lib.c,v 1.191 2018/11/08 20:55:18 jsing Exp $ */

@@ -261,23 +261,8 @@ SSL_new(SSL_CTX *ctx)

s->internal->mode = ctx->internal->mode;

s->internal->max_cert_list = ctx->internal->max_cert_list;

- if (ctx->internal->cert != NULL) {

- /*

- * Earlier library versions used to copy the pointer to

- * the CERT, not its contents; only when setting new

- * parameters for the per-SSL copy, ssl_cert_new would be

- * called (and the direct reference to the per-SSL_CTX

- * settings would be lost, but those still were indirectly

- * accessed for various purposes, and for that reason they

- * used to be known as s->ctx->default_cert).

- * Now we don't look at the SSL_CTX's CERT after having

- * duplicated it once.

- */

- s->cert = ssl_cert_dup(ctx->internal->cert);

- if (s->cert == NULL)

- goto err;

- } else

- s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */

+ if ((s->cert = ssl_cert_dup(ctx->internal->cert)) == NULL)

+ goto err;

s->internal->read_ahead = ctx->internal->read_ahead;

s->internal->msg_callback = ctx->internal->msg_callback;

@@ -1855,6 +1840,7 @@ SSL_CTX_new(const SSL_METHOD *meth)

ret->verify_mode = SSL_VERIFY_NONE;

ret->sid_ctx_length = 0;

ret->internal->default_verify_callback = NULL;

if ((ret->internal->cert = ssl_cert_new()) == NULL)

goto err;

@@ -2519,12 +2505,9 @@ SSL_dup(SSL *s)

ret->method = s->method;

ret->method->internal->ssl_new(ret);

- if (s->cert != NULL) {

- ssl_cert_free(ret->cert);

- ret->cert = ssl_cert_dup(s->cert);

- if (ret->cert == NULL)

- goto err;

- }

+ ssl_cert_free(ret->cert);

+ if ((ret->cert = ssl_cert_dup(s->cert)) == NULL)

+ goto err;

if (!SSL_set_session_id_context(ret, s->sid_ctx,

s->sid_ctx_length))

@@ -2658,20 +2641,14 @@ ssl_clear_cipher_write_state(SSL *s)

X509 *

SSL_get_certificate(const SSL *s)

{

- if (s->cert != NULL)

- return (s->cert->key->x509);

- else

- return (NULL);

+ return (s->cert->key->x509);

}

/* Fix this function so that it takes an optional type parameter */

EVP_PKEY *

SSL_get_privatekey(const SSL *s)

{

- if (s->cert != NULL)

- return (s->cert->key->privatekey);

- else

- return (NULL);

+ return (s->cert->key->privatekey);

}

const SSL_CIPHER *

diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 8aa29e7e598..32766de1cfc 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_locl.h,v 1.220 2018/11/07 01:53:36 jsing Exp $ */

+/* $OpenBSD: ssl_locl.h,v 1.221 2018/11/08 20:55:18 jsing Exp $ */

@@ -1048,7 +1048,6 @@ void ssl_clear_cipher_write_state(SSL *s);

int ssl_clear_bad_session(SSL *s);

CERT *ssl_cert_new(void);

CERT *ssl_cert_dup(CERT *cert);

-int ssl_cert_inst(CERT **o);

void ssl_cert_free(CERT *c);

SESS_CERT *ssl_sess_cert_new(void);

void ssl_sess_cert_free(SESS_CERT *sc);

diff --git a/lib/libssl/ssl_rsa.c b/lib/libssl/ssl_rsa.c
index 631aaa5077d..4d2b1c9fb35 100644
--- a/lib/libssl/ssl_rsa.c
+++ b/lib/libssl/ssl_rsa.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_rsa.c,v 1.29 2018/04/25 07:10:39 tb Exp $ */

+/* $OpenBSD: ssl_rsa.c,v 1.30 2018/11/08 20:55:18 jsing Exp $ */

@@ -77,10 +77,6 @@ SSL_use_certificate(SSL *ssl, X509 *x)

SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER);

return (0);

}

- if (!ssl_cert_inst(&ssl->cert)) {

- SSLerror(ssl, ERR_R_MALLOC_FAILURE);

- return (0);

- }

return (ssl_set_cert(ssl->cert, x));

}

@@ -154,10 +150,6 @@ SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)

SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER);

return (0);

}

- if (!ssl_cert_inst(&ssl->cert)) {

- SSLerror(ssl, ERR_R_MALLOC_FAILURE);

- return (0);

- }

if ((pkey = EVP_PKEY_new()) == NULL) {

SSLerror(ssl, ERR_R_EVP_LIB);

return (0);

@@ -278,10 +270,6 @@ SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)

SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER);

return (0);

}

- if (!ssl_cert_inst(&ssl->cert)) {

- SSLerror(ssl, ERR_R_MALLOC_FAILURE);

- return (0);

- }

ret = ssl_set_pkey(ssl->cert, pkey);

return (ret);

}

@@ -349,10 +337,6 @@ SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)

SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);

return (0);

}

- if (!ssl_cert_inst(&ctx->internal->cert)) {

- SSLerrorx(ERR_R_MALLOC_FAILURE);

- return (0);

- }

return (ssl_set_cert(ctx->internal->cert, x));

}

@@ -482,10 +466,6 @@ SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)

SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);

return (0);

}

- if (!ssl_cert_inst(&ctx->internal->cert)) {

- SSLerrorx(ERR_R_MALLOC_FAILURE);

- return (0);

- }

if ((pkey = EVP_PKEY_new()) == NULL) {

SSLerrorx(ERR_R_EVP_LIB);

return (0);

@@ -562,10 +542,6 @@ SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)

SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);

return (0);

}

- if (!ssl_cert_inst(&ctx->internal->cert)) {

- SSLerrorx(ERR_R_MALLOC_FAILURE);

- return (0);

- }

return (ssl_set_pkey(ctx->internal->cert, pkey));

}

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index f077140b906..e7f1f5c9ec0 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_srvr.c,v 1.49 2018/11/08 20:26:45 jsing Exp $ */

+/* $OpenBSD: ssl_srvr.c,v 1.50 2018/11/08 20:55:18 jsing Exp $ */

@@ -196,12 +196,6 @@ ssl3_accept(SSL *s)

if (SSL_IS_DTLS(s))

D1I(s)->listen = listen;

- if (s->cert == NULL) {

- SSLerror(s, SSL_R_NO_CERTIFICATE_SET);

- ret = -1;

- goto end;

- }

for (;;) {

state = S3I(s)->hs.state;

diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 758f7b1e113..1cb0cfb4534 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: t1_lib.c,v 1.147 2018/11/05 20:41:30 jsing Exp $ */

+/* $OpenBSD: t1_lib.c,v 1.148 2018/11/08 20:55:18 jsing Exp $ */

@@ -1150,10 +1150,6 @@ tls1_process_sigalgs(SSL *s, CBS *cbs)

if (!SSL_USE_SIGALGS(s))

return 1;

- /* Should never happen */

- if (c == NULL)

- return 0;

c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;

c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;

c->pkeys[SSL_PKEY_ECC].digest = NULL;