wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix missing return value checks

Browse source 
Ensure that all functions have their return values checked where
appropriate. This covers all functions defined and called from within
libssl.

Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Matt Caswell 2015-03-06 14:37:17 +00:00
parent 4bcdb4a601
commit 69f6823748
24 changed files with 237 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
ssl/bio_ssl.c
View file

@ -292,7 +292,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
else if (ssl->handshake_func == ssl->method->ssl_accept)
SSL_set_accept_state(ssl);
SSL_clear(ssl);
if(!SSL_clear(ssl)) {
ret = 0;
break;
}
if (b->next_bio != NULL)
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);

9
ssl/d1_both.c
View file

@ -989,7 +989,10 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
s->d1->handshake_write_seq, 0, 0);
/* buffer the message to handle re-xmits */
dtls1_buffer_message(s, 1);
if(!dtls1_buffer_message(s, 1)) {
SSLerr(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
return -1;
}
s->state = b;
}
@ -1237,7 +1240,7 @@ void dtls1_clear_record_buffer(SSL *s)
}
}
unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
void dtls1_set_message_header(SSL *s, unsigned char *p,
unsigned char mt, unsigned long len,
unsigned long frag_off,
unsigned long frag_len)
@ -1250,8 +1253,6 @@ unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
frag_off, frag_len);
return p += DTLS1_HM_HEADER_LENGTH;
}
/* don't actually do the writing, wait till the MTU has been retrieved */

6
ssl/d1_clnt.c
View file

@ -181,8 +181,10 @@ int dtls1_connect(SSL *s)
cb = s->ctx->info_callback;
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s))
SSL_clear(s);
if (!SSL_in_init(s) || SSL_in_before(s)) {
if(!SSL_clear(s))
return -1;
}
#ifndef OPENSSL_NO_SCTP
/*

6
ssl/d1_lib.c
View file

@ -567,7 +567,11 @@ static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len)
s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH;
s->init_off = 0;
/* Buffer the message to handle re-xmits */
dtls1_buffer_message(s, 0);
/*
* Deliberately swallow error return. We really should do something with
* this - but its a void function that can't (easily) be changed
*/
if(!dtls1_buffer_message(s, 0));
}
static int dtls1_handshake_write(SSL *s)

8
ssl/d1_pkt.c
View file

@ -937,7 +937,10 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
}
#ifndef OPENSSL_NO_HEARTBEATS
else if (rr->type == TLS1_RT_HEARTBEAT) {
dtls1_process_heartbeat(s);
/* We allow a 0 return */
if(dtls1_process_heartbeat(s) < 0) {
return -1;
}
/* Exit and notify application to read again */
rr->length = 0;
@ -1246,7 +1249,8 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
if (dtls1_check_timeout_num(s) < 0)
return -1;
dtls1_retransmit_buffered_messages(s);
/* Ignore retransmit failures - swallow return code */
if(dtls1_retransmit_buffered_messages(s));
rr->length = 0;
goto start;
}

6
ssl/d1_srvr.c
View file

@ -184,8 +184,10 @@ int dtls1_accept(SSL *s)
/* init things to blank */
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s))
SSL_clear(s);
if (!SSL_in_init(s) || SSL_in_before(s)) {
if(!SSL_clear(s))
return -1;
}
s->d1->listen = listen;
#ifndef OPENSSL_NO_SCTP

6
ssl/s23_clnt.c
View file

@ -157,8 +157,10 @@ int ssl23_connect(SSL *s)
cb = s->ctx->info_callback;
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s))
SSL_clear(s);
if (!SSL_in_init(s) || SSL_in_before(s)) {
if(!SSL_clear(s))
return -1;
}
for (;;) {
state = s->state;

6
ssl/s23_srvr.c
View file

@ -156,8 +156,10 @@ int ssl23_accept(SSL *s)
cb = s->ctx->info_callback;
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s))
SSL_clear(s);
if (!SSL_in_init(s) || SSL_in_before(s)) {
if(!SSL_clear(s))
return -1;
}
for (;;) {
state = s->state;

11
ssl/s3_clnt.c
View file

@ -197,8 +197,10 @@ int ssl3_connect(SSL *s)
cb = s->ctx->info_callback;
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s))
SSL_clear(s);
if (!SSL_in_init(s) || SSL_in_before(s)) {
if(!SSL_clear(s))
return -1;
}
#ifndef OPENSSL_NO_HEARTBEATS
/*
@ -3044,6 +3046,11 @@ int ssl3_send_client_key_exchange(SSL *s)
OPENSSL_cleanse(pms, pmslen);
OPENSSL_free(pms);
s->cert->pms = NULL;
if(s->session->master_key_length < 0) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err;
}
}
return n;
memerr:

10
ssl/s3_enc.c
View file

@ -253,7 +253,10 @@ int ssl3_change_cipher_state(SSL *s, int which)
EVP_CIPHER_CTX_init(s->enc_read_ctx);
dd = s->enc_read_ctx;
ssl_replace_hash(&s->read_hash, m);
if(!ssl_replace_hash(&s->read_hash, m)) {
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err2;
}
#ifndef OPENSSL_NO_COMP
/* COMPRESS */
if (s->expand != NULL) {
@ -288,7 +291,10 @@ int ssl3_change_cipher_state(SSL *s, int which)
*/
EVP_CIPHER_CTX_init(s->enc_write_ctx);
dd = s->enc_write_ctx;
ssl_replace_hash(&s->write_hash, m);
if(!ssl_replace_hash(&s->write_hash, m)) {
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err2;
}
#ifndef OPENSSL_NO_COMP
/* COMPRESS */
if (s->compress != NULL) {

3
ssl/s3_lib.c
View file

@ -3114,7 +3114,8 @@ int ssl3_new(SSL *s)
s->s3 = s3;
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_init(s);
if(!SSL_SRP_CTX_init(s))
goto err;
#endif
s->method->ssl_clear(s);
return (1);

5
ssl/s3_pkt.c
View file

@ -1320,7 +1320,10 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
}
#ifndef OPENSSL_NO_HEARTBEATS
else if (rr->type == TLS1_RT_HEARTBEAT) {
tls1_process_heartbeat(s);
/* We can ignore 0 return values */
if(tls1_process_heartbeat(s) < 0) {
return -1;
}
/* Exit and notify application to read again */
rr->length = 0;

36
ssl/s3_srvr.c
View file

@ -226,8 +226,10 @@ int ssl3_accept(SSL *s)
/* init things to blank */
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s))
SSL_clear(s);
if (!SSL_in_init(s) || SSL_in_before(s)) {
if(!SSL_clear(s))
return -1;
}
if (s->cert == NULL) {
SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
@ -2227,6 +2229,11 @@ int ssl3_get_client_key_exchange(SSL *s)
sizeof
(rand_premaster_secret));
OPENSSL_cleanse(p, sizeof(rand_premaster_secret));
if(s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
}
} else
#endif
#ifndef OPENSSL_NO_DH
@ -2319,6 +2326,11 @@ int ssl3_get_client_key_exchange(SSL *s)
session->master_key,
p, i);
OPENSSL_cleanse(p, i);
if(s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
}
if (dh_clnt)
return 2;
} else
@ -2484,6 +2496,11 @@ int ssl3_get_client_key_exchange(SSL *s)
s->
session->master_key,
pms, outl);
if(s->session->master_key_length < 0) {
al = SSL_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
}
if (kssl_ctx->client_princ) {
size_t len = strlen(kssl_ctx->client_princ);
@ -2632,6 +2649,11 @@ int ssl3_get_client_key_exchange(SSL *s)
p, i);
OPENSSL_cleanse(p, i);
if(s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
}
return (ret);
} else
#endif
@ -2716,6 +2738,11 @@ int ssl3_get_client_key_exchange(SSL *s)
session->master_key,
psk_or_pre_ms,
pre_ms_len);
if(s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto psk_err;
}
psk_err = 0;
psk_err:
OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
@ -2817,6 +2844,11 @@ int ssl3_get_client_key_exchange(SSL *s)
s->
session->master_key,
premaster_secret, 32);
if(s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
}
/* Check if pubkey from client certificate was used */
if (EVP_PKEY_CTX_ctrl
(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)

5
ssl/ssl.h
View file

@ -1773,7 +1773,7 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl,
__owur const COMP_METHOD *SSL_get_current_compression(SSL *s);
__owur const COMP_METHOD *SSL_get_current_expansion(SSL *s);
__owur const char *SSL_COMP_get_name(const COMP_METHOD *comp);
__owur STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
__owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
*meths);
void SSL_COMP_free_compression_methods(void);
@ -1782,7 +1782,7 @@ __owur int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
__owur const void *SSL_get_current_compression(SSL *s);
__owur const void *SSL_get_current_expansion(SSL *s);
__owur const char *SSL_COMP_get_name(const void *comp);
__owur void *SSL_COMP_get_compression_methods(void);
void *SSL_COMP_get_compression_methods(void);
__owur int SSL_COMP_add_compression_method(int id, void *cm);
# endif
@ -1956,6 +1956,7 @@ void ERR_load_SSL_strings(void);
# define SSL_F_DTLS1_READ_BYTES 258
# define SSL_F_DTLS1_READ_FAILED 259
# define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260
# define SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC 342
# define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261
# define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262
# define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263

2
ssl/ssl_algs.c
View file

@ -130,7 +130,7 @@ int SSL_library_init(void)
* This will initialise the built-in compression algorithms. The value
* returned is a STACK_OF(SSL_COMP), but that can be discarded safely
*/
(void)SSL_COMP_get_compression_methods();
SSL_COMP_get_compression_methods();
#endif
/* initialize cipher/digest methods table */
ssl_load_ciphers();

5
ssl/ssl_ciph.c
View file

@ -532,10 +532,13 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
else
*comp = NULL;
}
/* If were only interested in comp then return success */
if((enc == NULL) && (md == NULL))
return 1;
}
if ((enc == NULL) || (md == NULL))
return (0);
return 0;
switch (c->algorithm_enc) {
case SSL_DES:

81
ssl/ssl_err.c
View file

@ -1,6 +1,6 @@
/* ssl/ssl_err.c */
/* ====================================================================
* Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -83,8 +83,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"},
{ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"},
{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "dtls1_get_message"},
{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT),
"DTLS1_GET_MESSAGE_FRAGMENT"},
{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"},
{ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "dtls1_get_record"},
{ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "dtls1_handle_timeout"},
{ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"},
@ -96,7 +95,9 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "dtls1_read_bytes"},
{ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "dtls1_read_failed"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST),
"dtls1_send_certificate_request"},
"DTLS1_SEND_CERTIFICATE_REQUEST"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC),
"dtls1_send_change_cipher_spec"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE),
"dtls1_send_client_certificate"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE),
@ -109,8 +110,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "dtls1_send_server_hello"},
{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),
"dtls1_send_server_key_exchange"},
{ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES),
"dtls1_write_app_data_bytes"},
{ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "dtls1_write_app_data_bytes"},
{ERR_FUNC(SSL_F_SSL23_ACCEPT), "ssl23_accept"},
{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
{ERR_FUNC(SSL_F_SSL23_CONNECT), "ssl23_connect"},
@ -130,10 +130,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL3_CONNECT), "ssl3_connect"},
{ERR_FUNC(SSL_F_SSL3_CTRL), "ssl3_ctrl"},
{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "ssl3_ctx_ctrl"},
{ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS),
"ssl3_digest_cached_records"},
{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),
"ssl3_do_change_cipher_spec"},
{ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), "ssl3_digest_cached_records"},
{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "ssl3_do_change_cipher_spec"},
{ERR_FUNC(SSL_F_SSL3_ENC), "ssl3_enc"},
{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),
@ -183,8 +181,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_ADD_CERT_TO_BUF), "SSL_ADD_CERT_TO_BUF"},
{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT),
"ssl_add_clienthello_renegotiate_ext"},
{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT),
"ssl_add_clienthello_tlsext"},
{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "ssl_add_clienthello_tlsext"},
{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT),
"ssl_add_clienthello_use_srtp_ext"},
{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),
@ -193,8 +190,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
"SSL_add_file_cert_subjects_to_stack"},
{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT),
"ssl_add_serverhello_renegotiate_ext"},
{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT),
"ssl_add_serverhello_tlsext"},
{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "ssl_add_serverhello_tlsext"},
{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT),
"ssl_add_serverhello_use_srtp_ext"},
{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "ssl_bad_method"},
@ -210,8 +206,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
"SSL_CHECK_SERVERHELLO_TLSEXT"},
{ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG),
"ssl_check_srvr_ecc_cert_and_alg"},
{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),
"SSL_CIPHER_PROCESS_RULESTR"},
{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"},
{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"},
{ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"},
{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),
@ -296,10 +291,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"},
{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),
"SSL_set_session_id_context"},
{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT),
"SSL_set_session_ticket_ext"},
{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
@ -317,10 +310,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
{ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1),
"SSL_use_RSAPrivateKey_ASN1"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE),
"SSL_use_RSAPrivateKey_file"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "ssl_verify_cert_chain"},
{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
{ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"},
@ -391,16 +382,14 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_BAD_VALUE), "bad value"},
{ERR_REASON(SSL_R_BAD_WRITE_RETRY), "bad write retry"},
{ERR_REASON(SSL_R_BIO_NOT_SET), "bio not set"},
{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),
"block cipher pad is wrong"},
{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "block cipher pad is wrong"},
{ERR_REASON(SSL_R_BN_LIB), "bn lib"},
{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH), "ca dn length mismatch"},
{ERR_REASON(SSL_R_CA_DN_TOO_LONG), "ca dn too long"},
{ERR_REASON(SSL_R_CA_KEY_TOO_SMALL), "ca key too small"},
{ERR_REASON(SSL_R_CA_MD_TOO_WEAK), "ca md too weak"},
{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY), "ccs received early"},
{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),
"certificate verify failed"},
{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), "certificate verify failed"},
{ERR_REASON(SSL_R_CERT_CB_ERROR), "cert cb error"},
{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH), "cert length mismatch"},
{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
@ -413,8 +402,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_COMPRESSION_FAILURE), "compression failure"},
{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),
"compression id not within private range"},
{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),
"compression library error"},
{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), "compression library error"},
{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET), "connection type not set"},
{ERR_REASON(SSL_R_COOKIE_MISMATCH), "cookie mismatch"},
{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),
@ -443,8 +431,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_EE_KEY_TOO_SMALL), "ee key too small"},
{ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),
"empty srtp protection profile list"},
{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),
"encrypted length too long"},
{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "encrypted length too long"},
{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),
"error generating tmp rsa key"},
{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
@ -494,8 +481,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_MISSING_ECDH_CERT), "missing ecdh cert"},
{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),
"missing ecdsa signing cert"},
{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),
"missing export tmp dh key"},
{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY), "missing export tmp dh key"},
{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),
"missing export tmp rsa key"},
{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"},
@ -527,8 +513,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"},
{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE), "no protocols available"},
{ERR_REASON(SSL_R_NO_RENEGOTIATION), "no renegotiation"},
{ERR_REASON(SSL_R_NO_REQUIRED_DIGEST),
"digest requred for handshake isn't computed"},
{ERR_REASON(SSL_R_NO_REQUIRED_DIGEST), "no required digest"},
{ERR_REASON(SSL_R_NO_SHARED_CIPHER), "no shared cipher"},
{ERR_REASON(SSL_R_NO_SHARED_SIGATURE_ALGORITHMS),
"no shared sigature algorithms"},
@ -546,8 +531,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"only TLS 1.2 allowed in Suite B mode"},
{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),
"only tls allowed in fips mode"},
{ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),
"opaque PRF input too long"},
{ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG), "opaque PRF input too long"},
{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"},
{ERR_REASON(SSL_R_PARSE_TLSEXT), "parse tlsext"},
{ERR_REASON(SSL_R_PATH_TOO_LONG), "path too long"},
@ -597,8 +581,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),
"ssl3 ext invalid servername type"},
{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG), "ssl3 session id too long"},
{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),
"ssl3 session id too short"},
{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT), "ssl3 session id too short"},
{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),
"sslv3 alert bad certificate"},
{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),
@ -634,13 +617,11 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"ssl session id context too long"},
{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),
"ssl session id has bad length"},
{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),
"tlsv1 alert access denied"},
{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),
"tlsv1 alert decryption failed"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
"tlsv1 alert decrypt error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
"tlsv1 alert export restriction"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
@ -683,8 +664,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"tls rsa encrypted value length is wrong"},
{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),
"tried to use unsupported cipher"},
{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),
"unable to decode dh certs"},
{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), "unable to decode dh certs"},
{ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),
"unable to decode ecdh certs"},
{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),
@ -693,8 +673,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"unable to find ecdh parameters"},
{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),
"unable to find public key parameters"},
{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),
"unable to find ssl method"},
{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD), "unable to find ssl method"},
{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),
"unable to load ssl3 md5 routines"},
{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
@ -708,12 +687,10 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE), "unknown cipher type"},
{ERR_REASON(SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"},
{ERR_REASON(SSL_R_UNKNOWN_DIGEST), "unknown digest"},
{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),
"unknown key exchange type"},
{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "unknown key exchange type"},
{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE), "unknown pkey type"},
{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL), "unknown protocol"},
{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),
"unknown remote error type"},
{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "unknown remote error type"},
{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION), "unknown ssl version"},
{ERR_REASON(SSL_R_UNKNOWN_STATE), "unknown state"},
{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),

25
ssl/ssl_lib.c
View file

@ -378,7 +378,8 @@ SSL *SSL_new(SSL_CTX *ctx)
s->references = 1;
s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
SSL_clear(s);
if(!SSL_clear(s))
goto err;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
@ -885,7 +886,10 @@ void SSL_copy_session_id(SSL *t, const SSL *f)
CERT *tmp;
/* Do we need to to SSL locking? */
SSL_set_session(t, SSL_get_session(f));
if(!SSL_set_session(t, SSL_get_session(f))) {
/* How do we handle this!! void function */
return;
}
/*
* what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa
@ -904,7 +908,10 @@ void SSL_copy_session_id(SSL *t, const SSL *f)
t->cert = NULL;
if (tmp != NULL)
ssl_cert_free(tmp);
SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length);
if(!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) {
/* Really should do something about this..but void function - ignore */
;
}
}
/* Fix this so it checks all the valid key/cert options */
@ -1924,10 +1931,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
if (ret->cert_store == NULL)
goto err;
ssl_create_cipher_list(ret->method,
if(!ssl_create_cipher_list(ret->method,
&ret->cipher_list, &ret->cipher_list_by_id,
SSL_DEFAULT_CIPHER_LIST, ret->cert);
if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSL_DEFAULT_CIPHER_LIST, ret->cert)
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
@ -1980,7 +1987,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->psk_server_callback = NULL;
#endif
#ifndef OPENSSL_NO_SRP
SSL_CTX_SRP_CTX_init(ret);
if(!SSL_CTX_SRP_CTX_init(ret))
goto err;
#endif
#ifndef OPENSSL_NO_ENGINE
ret->client_cert_engine = NULL;
@ -2783,7 +2791,8 @@ SSL *SSL_dup(SSL *s)
goto err;
}
SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length);
if(!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length))
goto err;
}
ret->options = s->options;

5
ssl/ssl_rsa.c
View file

@ -693,7 +693,10 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
int r;
unsigned long err;
SSL_CTX_clear_chain_certs(ctx);
if(!SSL_CTX_clear_chain_certs(ctx)) {
ret = 0;
goto end;
}
while ((ca = PEM_read_bio_X509(in, NULL,
ctx->default_passwd_callback,

6
ssl/ssl_sess.c
View file

@ -510,12 +510,14 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
*/
if (!
(s->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE))
SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
/*
* The following should not return 1, otherwise, things are
* very strange
*/
SSL_CTX_add_session(s->session_ctx, ret);
if(SSL_CTX_add_session(s->session_ctx, ret))
goto err;
}
}
}

3
ssl/ssl_txt.c
View file

@ -214,7 +214,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
if (x->compress_meth != 0) {
SSL_COMP *comp = NULL;
ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0);
if(!ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0))
goto err;
if (comp == NULL) {
if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <=
0)

95
ssl/ssltest.c
View file

@ -1443,8 +1443,11 @@ int main(int argc, char *argv[])
SSL_CTX_set_security_level(s_ctx, 0);
if (cipher != NULL) {
SSL_CTX_set_cipher_list(c_ctx, cipher);
SSL_CTX_set_cipher_list(s_ctx, cipher);
if(!SSL_CTX_set_cipher_list(c_ctx, cipher)
|| !SSL_CTX_set_cipher_list(s_ctx, cipher)) {
ERR_print_errors(bio_err);
goto end;
}
}
/* Process SSL_CONF arguments */
@ -1537,10 +1540,13 @@ int main(int argc, char *argv[])
}
if (client_auth) {
SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(c_ctx,
if(!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM)
|| !SSL_CTX_use_PrivateKey_file(c_ctx,
(client_key ? client_key : client_cert),
SSL_FILETYPE_PEM);
SSL_FILETYPE_PEM)) {
ERR_print_errors(bio_err);
goto end;
}
}
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
@ -1569,8 +1575,11 @@ int main(int argc, char *argv[])
{
int session_id_context = 0;
SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
sizeof session_id_context);
if(!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
sizeof session_id_context)) {
ERR_print_errors(bio_err);
goto end;
}
}
/* Use PSK only if PSK key is given */
@ -1637,15 +1646,22 @@ int main(int argc, char *argv[])
}
#endif
if (serverinfo_sct)
SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
if (serverinfo_sct) {
if(!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
NULL, NULL, NULL,
serverinfo_cli_parse_cb, NULL);
if (serverinfo_tack)
SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
serverinfo_cli_parse_cb, NULL)) {
BIO_printf(bio_err, "Error adding SCT extension\n");
goto end;
}
}
if (serverinfo_tack) {
if(!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
NULL, NULL, NULL,
serverinfo_cli_parse_cb, NULL);
serverinfo_cli_parse_cb, NULL)) {
BIO_printf(bio_err, "Error adding TACK extension\n");
goto end;
}
}
if (serverinfo_file)
if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file)) {
BIO_printf(bio_err, "missing serverinfo file\n");
@ -1653,39 +1669,41 @@ int main(int argc, char *argv[])
}
if (custom_ext) {
SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
if(!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
custom_ext_0_cli_add_cb,
NULL, NULL,
custom_ext_0_cli_parse_cb, NULL);
SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_0_cli_parse_cb, NULL)
|| !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_1_cli_add_cb,
NULL, NULL,
custom_ext_1_cli_parse_cb, NULL);
SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_1_cli_parse_cb, NULL)
|| !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_2_cli_add_cb,
NULL, NULL,
custom_ext_2_cli_parse_cb, NULL);
SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_2_cli_parse_cb, NULL)
|| !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_3_cli_add_cb,
NULL, NULL,
custom_ext_3_cli_parse_cb, NULL);
SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
custom_ext_3_cli_parse_cb, NULL)
|| !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
custom_ext_0_srv_add_cb,
NULL, NULL,
custom_ext_0_srv_parse_cb, NULL);
SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_0_srv_parse_cb, NULL)
|| !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_1_srv_add_cb,
NULL, NULL,
custom_ext_1_srv_parse_cb, NULL);
SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_1_srv_parse_cb, NULL)
|| !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_2_srv_add_cb,
NULL, NULL,
custom_ext_2_srv_parse_cb, NULL);
SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_2_srv_parse_cb, NULL)
|| !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_3_srv_add_cb,
NULL, NULL,
custom_ext_3_srv_parse_cb, NULL);
custom_ext_3_srv_parse_cb, NULL)) {
BIO_printf(bio_err, "Error setting custom extensions\n");
goto end;
}
}
if (alpn_server)
@ -1699,7 +1717,12 @@ int main(int argc, char *argv[])
BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
goto end;
}
SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
/* Returns 0 on success!! */
if(SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
BIO_printf(bio_err, "Error setting ALPN\n");
OPENSSL_free(alpn);
goto end;
}
OPENSSL_free(alpn);
}
@ -1722,8 +1745,12 @@ int main(int argc, char *argv[])
#endif /* OPENSSL_NO_KRB5 */
for (i = 0; i < number; i++) {
if (!reuse)
SSL_set_session(c_ssl, NULL);
if (!reuse) {
if(!SSL_set_session(c_ssl, NULL)) {
BIO_printf(bio_err, "Failed to set session\n");
goto end;
}
}
if (bio_pair)
ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
else

3
ssl/t1_enc.c
View file

@ -1095,7 +1095,8 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
* exchange and before certificate verify)
*/
s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
ssl3_digest_cached_records(s);
if(!ssl3_digest_cached_records(s))
return -1;
}
hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
#ifdef SSL_DEBUG

26
ssl/t1_lib.c
View file

@ -1431,7 +1431,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
int el;
ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
/* Returns 0 on success!! */
if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return NULL;
}
if ((limit - ret - 4 - el) < 0)
return NULL;
@ -1601,8 +1605,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
if (SSL_IS_DTLS(s) && s->srtp_profile) {
int el;
ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
/* Returns 0 on success!! */
if(ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return NULL;
}
if ((limit - ret - 4 - el) < 0)
return NULL;
@ -4141,12 +4148,13 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
/* Set validity of certificates in an SSL structure */
void tls1_set_cert_validity(SSL *s)
{
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
/* Deliberately ignore all return values */
if(tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC)
|| tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN)
|| tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN)
|| tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA)
|| tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA)
|| tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC));
}
/* User level utiity function to check a chain is suitable */