summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libtls/tls_config.c20
-rw-r--r--lib/libtls/tls_ocsp.c37
-rw-r--r--lib/libtls/tls_util.c32
-rw-r--r--lib/libtls/tls_verify.c14
4 files changed, 52 insertions, 51 deletions
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index e2e3f4abaae..d44b8dde49f 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.45 2017/12/09 16:46:08 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.46 2018/02/05 00:52:24 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -161,31 +161,31 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
if ((fd = open(filename, O_RDONLY)) == -1) {
tls_error_set(error, "failed to open %s file '%s'",
filetype, filename);
- goto fail;
+ goto err;
}
if (fstat(fd, &st) != 0) {
tls_error_set(error, "failed to stat %s file '%s'",
filetype, filename);
- goto fail;
+ goto err;
}
if (st.st_size < 0)
- goto fail;
+ goto err;
*len = (size_t)st.st_size;
if ((*buf = malloc(*len)) == NULL) {
tls_error_set(error, "failed to allocate buffer for "
"%s file", filetype);
- goto fail;
+ goto err;
}
n = read(fd, *buf, *len);
if (n < 0 || (size_t)n != *len) {
tls_error_set(error, "failed to read %s file '%s'",
filetype, filename);
- goto fail;
+ goto err;
}
close(fd);
return 0;
- fail:
+ err:
if (fd != -1)
close(fd);
freezero(*buf, *len);
@@ -571,17 +571,17 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
tls_config_set_errorx(config, "out of memory");
- goto fail;
+ goto err;
}
if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
- goto fail;
+ goto err;
}
SSL_CTX_free(ssl_ctx);
return set_string(&config->ciphers, ciphers);
- fail:
+ err:
SSL_CTX_free(ssl_ctx);
return -1;
}
diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c
index a8835edc8ff..307ae842b8a 100644
--- a/lib/libtls/tls_ocsp.c
+++ b/lib/libtls/tls_ocsp.c
@@ -101,23 +101,24 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
tls_set_error(ctx,
"unable to parse revocation time in OCSP reply");
- goto error;
+ goto err;
}
if (thisupd != NULL &&
tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
tls_set_error(ctx,
"unable to parse this update time in OCSP reply");
- goto error;
+ goto err;
}
if (nextupd != NULL &&
tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
tls_set_error(ctx,
"unable to parse next update time in OCSP reply");
- goto error;
+ goto err;
}
ctx->ocsp->ocsp_result = info;
return 0;
- error:
+
+ err:
free(info);
return -1;
}
@@ -162,32 +163,32 @@ tls_ocsp_setup_from_peer(struct tls *ctx)
STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
if ((ocsp = tls_ocsp_new()) == NULL)
- goto failed;
+ goto err;
/* steal state from ctx struct */
ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn);
ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn);
if (ocsp->main_cert == NULL) {
tls_set_errorx(ctx, "no peer certificate for OCSP");
- goto failed;
+ goto err;
}
ocsp_urls = X509_get1_ocsp(ocsp->main_cert);
if (ocsp_urls == NULL) {
tls_set_errorx(ctx, "no OCSP URLs in peer certificate");
- goto failed;
+ goto err;
}
ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0));
if (ocsp->ocsp_url == NULL) {
tls_set_errorx(ctx, "out of memory");
- goto failed;
+ goto err;
}
X509_email_free(ocsp_urls);
return ocsp;
- failed:
+ err:
tls_ocsp_free(ocsp);
X509_email_free(ocsp_urls);
return NULL;
@@ -206,7 +207,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
if ((br = OCSP_response_get1_basic(resp)) == NULL) {
tls_set_errorx(ctx, "cannot load ocsp reply");
- goto error;
+ goto err;
}
/*
@@ -219,7 +220,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
if (OCSP_basic_verify(br, ctx->ocsp->extra_certs,
SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) {
tls_set_error(ctx, "ocsp verify failed");
- goto error;
+ goto err;
}
/* signature OK, look inside */
@@ -227,43 +228,43 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
tls_set_errorx(ctx, "ocsp verify failed: response - %s",
OCSP_response_status_str(response_status));
- goto error;
+ goto err;
}
cid = tls_ocsp_get_certid(ctx->ocsp->main_cert,
ctx->ocsp->extra_certs, ctx->ssl_ctx);
if (cid == NULL) {
tls_set_errorx(ctx, "ocsp verify failed: no issuer cert");
- goto error;
+ goto err;
}
if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason,
&revtime, &thisupd, &nextupd) != 1) {
tls_set_errorx(ctx, "ocsp verify failed: no result for cert");
- goto error;
+ goto err;
}
if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC,
MAXAGE_SEC) != 1) {
tls_set_errorx(ctx,
"ocsp verify failed: ocsp response not current");
- goto error;
+ goto err;
}
if (tls_ocsp_fill_info(ctx, response_status, cert_status,
crl_reason, revtime, thisupd, nextupd) != 0)
- goto error;
+ goto err;
/* finally can look at status */
if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status !=
V_OCSP_CERTSTATUS_UNKNOWN) {
tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s",
OCSP_crl_reason_str(crl_reason));
- goto error;
+ goto err;
}
ret = 0;
- error:
+ err:
sk_X509_free(combined);
OCSP_CERTID_free(cid);
OCSP_BASICRESP_free(br);
diff --git a/lib/libtls/tls_util.c b/lib/libtls/tls_util.c
index aaa3eef49f1..f9df287ca87 100644
--- a/lib/libtls/tls_util.c
+++ b/lib/libtls/tls_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_util.c,v 1.9 2017/06/22 18:03:57 jsing Exp $ */
+/* $OpenBSD: tls_util.c,v 1.10 2018/02/05 00:52:24 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -43,7 +43,7 @@ tls_host_port(const char *hostport, char **host, char **port)
*port = NULL;
if ((s = strdup(hostport)) == NULL)
- goto fail;
+ goto err;
h = p = s;
@@ -66,14 +66,14 @@ tls_host_port(const char *hostport, char **host, char **port)
*p++ = '\0';
if (asprintf(host, "%s", h) == -1)
- goto fail;
+ goto err;
if (asprintf(port, "%s", p) == -1)
- goto fail;
+ goto err;
rv = 0;
goto done;
- fail:
+ err:
free(*host);
*host = NULL;
free(*port);
@@ -126,38 +126,38 @@ tls_load_file(const char *name, size_t *len, char *password)
/* Just load the file into memory without decryption */
if (password == NULL) {
if (fstat(fd, &st) != 0)
- goto fail;
+ goto err;
if (st.st_size < 0)
- goto fail;
+ goto err;
size = (size_t)st.st_size;
if ((buf = malloc(size)) == NULL)
- goto fail;
+ goto err;
n = read(fd, buf, size);
if (n < 0 || (size_t)n != size)
- goto fail;
+ goto err;
close(fd);
goto done;
}
/* Or read the (possibly) encrypted key from file */
if ((fp = fdopen(fd, "r")) == NULL)
- goto fail;
+ goto err;
fd = -1;
key = PEM_read_PrivateKey(fp, NULL, tls_password_cb, password);
fclose(fp);
if (key == NULL)
- goto fail;
+ goto err;
/* Write unencrypted key to memory buffer */
if ((bio = BIO_new(BIO_s_mem())) == NULL)
- goto fail;
+ goto err;
if (!PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL))
- goto fail;
+ goto err;
if ((size = BIO_get_mem_data(bio, &data)) <= 0)
- goto fail;
+ goto err;
if ((buf = malloc(size)) == NULL)
- goto fail;
+ goto err;
memcpy(buf, data, size);
BIO_free_all(bio);
@@ -167,7 +167,7 @@ tls_load_file(const char *name, size_t *len, char *password)
*len = size;
return (buf);
- fail:
+ err:
if (fd != -1)
close(fd);
freezero(buf, size);
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c
index 3bd1057d0c4..acbe163ffdf 100644
--- a/lib/libtls/tls_verify.c
+++ b/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.19 2017/04/10 17:11:13 jsing Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.20 2018/02/05 00:52:24 jsing Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
*
@@ -215,16 +215,16 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
subject_name = X509_get_subject_name(cert);
if (subject_name == NULL)
- goto out;
+ goto done;
common_name_len = X509_NAME_get_text_by_NID(subject_name,
NID_commonName, NULL, 0);
if (common_name_len < 0)
- goto out;
+ goto done;
common_name = calloc(common_name_len + 1, 1);
if (common_name == NULL)
- goto out;
+ goto done;
X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name,
common_name_len + 1);
@@ -236,7 +236,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
"NUL byte in Common Name field, "
"probably a malicious certificate", name);
rv = -1;
- goto out;
+ goto done;
}
/*
@@ -247,13 +247,13 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
inet_pton(AF_INET6, name, &addrbuf) == 1) {
if (strcmp(common_name, name) == 0)
*cn_match = 1;
- goto out;
+ goto done;
}
if (tls_match_name(common_name, name) == 0)
*cn_match = 1;
- out:
+ done:
free(common_name);
return rv;
}