diff options
-rw-r--r-- | lib/libtls/tls_config.c | 20 | ||||
-rw-r--r-- | lib/libtls/tls_ocsp.c | 37 | ||||
-rw-r--r-- | lib/libtls/tls_util.c | 32 | ||||
-rw-r--r-- | lib/libtls/tls_verify.c | 14 |
4 files changed, 52 insertions, 51 deletions
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index e2e3f4abaae..d44b8dde49f 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.45 2017/12/09 16:46:08 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.46 2018/02/05 00:52:24 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -161,31 +161,31 @@ tls_config_load_file(struct tls_error *error, const char *filetype, if ((fd = open(filename, O_RDONLY)) == -1) { tls_error_set(error, "failed to open %s file '%s'", filetype, filename); - goto fail; + goto err; } if (fstat(fd, &st) != 0) { tls_error_set(error, "failed to stat %s file '%s'", filetype, filename); - goto fail; + goto err; } if (st.st_size < 0) - goto fail; + goto err; *len = (size_t)st.st_size; if ((*buf = malloc(*len)) == NULL) { tls_error_set(error, "failed to allocate buffer for " "%s file", filetype); - goto fail; + goto err; } n = read(fd, *buf, *len); if (n < 0 || (size_t)n != *len) { tls_error_set(error, "failed to read %s file '%s'", filetype, filename); - goto fail; + goto err; } close(fd); return 0; - fail: + err: if (fd != -1) close(fd); freezero(*buf, *len); @@ -571,17 +571,17 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers) if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) { tls_config_set_errorx(config, "out of memory"); - goto fail; + goto err; } if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { tls_config_set_errorx(config, "no ciphers for '%s'", ciphers); - goto fail; + goto err; } SSL_CTX_free(ssl_ctx); return set_string(&config->ciphers, ciphers); - fail: + err: SSL_CTX_free(ssl_ctx); return -1; } diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index a8835edc8ff..307ae842b8a 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -101,23 +101,24 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status, tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) { tls_set_error(ctx, "unable to parse revocation time in OCSP reply"); - goto error; + goto err; } if (thisupd != NULL && tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) { tls_set_error(ctx, "unable to parse this update time in OCSP reply"); - goto error; + goto err; } if (nextupd != NULL && tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) { tls_set_error(ctx, "unable to parse next update time in OCSP reply"); - goto error; + goto err; } ctx->ocsp->ocsp_result = info; return 0; - error: + + err: free(info); return -1; } @@ -162,32 +163,32 @@ tls_ocsp_setup_from_peer(struct tls *ctx) STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL; if ((ocsp = tls_ocsp_new()) == NULL) - goto failed; + goto err; /* steal state from ctx struct */ ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn); ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn); if (ocsp->main_cert == NULL) { tls_set_errorx(ctx, "no peer certificate for OCSP"); - goto failed; + goto err; } ocsp_urls = X509_get1_ocsp(ocsp->main_cert); if (ocsp_urls == NULL) { tls_set_errorx(ctx, "no OCSP URLs in peer certificate"); - goto failed; + goto err; } ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0)); if (ocsp->ocsp_url == NULL) { tls_set_errorx(ctx, "out of memory"); - goto failed; + goto err; } X509_email_free(ocsp_urls); return ocsp; - failed: + err: tls_ocsp_free(ocsp); X509_email_free(ocsp_urls); return NULL; @@ -206,7 +207,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) if ((br = OCSP_response_get1_basic(resp)) == NULL) { tls_set_errorx(ctx, "cannot load ocsp reply"); - goto error; + goto err; } /* @@ -219,7 +220,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) if (OCSP_basic_verify(br, ctx->ocsp->extra_certs, SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) { tls_set_error(ctx, "ocsp verify failed"); - goto error; + goto err; } /* signature OK, look inside */ @@ -227,43 +228,43 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp) if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { tls_set_errorx(ctx, "ocsp verify failed: response - %s", OCSP_response_status_str(response_status)); - goto error; + goto err; } cid = tls_ocsp_get_certid(ctx->ocsp->main_cert, ctx->ocsp->extra_certs, ctx->ssl_ctx); if (cid == NULL) { tls_set_errorx(ctx, "ocsp verify failed: no issuer cert"); - goto error; + goto err; } if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason, &revtime, &thisupd, &nextupd) != 1) { tls_set_errorx(ctx, "ocsp verify failed: no result for cert"); - goto error; + goto err; } if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC, MAXAGE_SEC) != 1) { tls_set_errorx(ctx, "ocsp verify failed: ocsp response not current"); - goto error; + goto err; } if (tls_ocsp_fill_info(ctx, response_status, cert_status, crl_reason, revtime, thisupd, nextupd) != 0) - goto error; + goto err; /* finally can look at status */ if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status != V_OCSP_CERTSTATUS_UNKNOWN) { tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s", OCSP_crl_reason_str(crl_reason)); - goto error; + goto err; } ret = 0; - error: + err: sk_X509_free(combined); OCSP_CERTID_free(cid); OCSP_BASICRESP_free(br); diff --git a/lib/libtls/tls_util.c b/lib/libtls/tls_util.c index aaa3eef49f1..f9df287ca87 100644 --- a/lib/libtls/tls_util.c +++ b/lib/libtls/tls_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_util.c,v 1.9 2017/06/22 18:03:57 jsing Exp $ */ +/* $OpenBSD: tls_util.c,v 1.10 2018/02/05 00:52:24 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> @@ -43,7 +43,7 @@ tls_host_port(const char *hostport, char **host, char **port) *port = NULL; if ((s = strdup(hostport)) == NULL) - goto fail; + goto err; h = p = s; @@ -66,14 +66,14 @@ tls_host_port(const char *hostport, char **host, char **port) *p++ = '\0'; if (asprintf(host, "%s", h) == -1) - goto fail; + goto err; if (asprintf(port, "%s", p) == -1) - goto fail; + goto err; rv = 0; goto done; - fail: + err: free(*host); *host = NULL; free(*port); @@ -126,38 +126,38 @@ tls_load_file(const char *name, size_t *len, char *password) /* Just load the file into memory without decryption */ if (password == NULL) { if (fstat(fd, &st) != 0) - goto fail; + goto err; if (st.st_size < 0) - goto fail; + goto err; size = (size_t)st.st_size; if ((buf = malloc(size)) == NULL) - goto fail; + goto err; n = read(fd, buf, size); if (n < 0 || (size_t)n != size) - goto fail; + goto err; close(fd); goto done; } /* Or read the (possibly) encrypted key from file */ if ((fp = fdopen(fd, "r")) == NULL) - goto fail; + goto err; fd = -1; key = PEM_read_PrivateKey(fp, NULL, tls_password_cb, password); fclose(fp); if (key == NULL) - goto fail; + goto err; /* Write unencrypted key to memory buffer */ if ((bio = BIO_new(BIO_s_mem())) == NULL) - goto fail; + goto err; if (!PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL)) - goto fail; + goto err; if ((size = BIO_get_mem_data(bio, &data)) <= 0) - goto fail; + goto err; if ((buf = malloc(size)) == NULL) - goto fail; + goto err; memcpy(buf, data, size); BIO_free_all(bio); @@ -167,7 +167,7 @@ tls_load_file(const char *name, size_t *len, char *password) *len = size; return (buf); - fail: + err: if (fd != -1) close(fd); freezero(buf, size); diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index 3bd1057d0c4..acbe163ffdf 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.19 2017/04/10 17:11:13 jsing Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.20 2018/02/05 00:52:24 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -215,16 +215,16 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, subject_name = X509_get_subject_name(cert); if (subject_name == NULL) - goto out; + goto done; common_name_len = X509_NAME_get_text_by_NID(subject_name, NID_commonName, NULL, 0); if (common_name_len < 0) - goto out; + goto done; common_name = calloc(common_name_len + 1, 1); if (common_name == NULL) - goto out; + goto done; X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name, common_name_len + 1); @@ -236,7 +236,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, "NUL byte in Common Name field, " "probably a malicious certificate", name); rv = -1; - goto out; + goto done; } /* @@ -247,13 +247,13 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, inet_pton(AF_INET6, name, &addrbuf) == 1) { if (strcmp(common_name, name) == 0) *cn_match = 1; - goto out; + goto done; } if (tls_match_name(common_name, name) == 0) *cn_match = 1; - out: + done: free(common_name); return rv; } |