diff options
| author |   jsing <jsing@openbsd.org> | 2015-09-13 09:20:19 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2015-09-13 09:20:19 +0000 |
| commit | 3458d1ef1aeac0b907a710e9dcb0b934e2826163 (patch) | |
| tree | b9124a7bba19d7eff4cd2481199acc94a6c23b00 /lib/libssl/s3_srvr.c | |
| parent | If we have hardware acceleration for AES, prefer AES as a symmetric cipher (diff) | |
| download | wireguard-openbsd-3458d1ef1aeac0b907a710e9dcb0b934e2826163.tar.xz wireguard-openbsd-3458d1ef1aeac0b907a710e9dcb0b934e2826163.zip | |
The *_accept() functions increment in_handshake at the start of the function,
then decrement it and call a callback on exit from the function. As such,
these functions should not return in the middle, otherwise in_handshake is
never decremented and the callback never called.
ok beck@ "with many sighs" miod@
Diffstat (limited to 'lib/libssl/s3_srvr.c')
| -rw-r--r-- | lib/libssl/s3_srvr.c | 41 |
1 files changed, 25 insertions, 16 deletions
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 2fbf063140c..cd63422db8e 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.121 2015/09/12 16:10:07 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.122 2015/09/13 09:20:19 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -188,9 +188,9 @@ ssl3_accept(SSL *s) SSL_clear(s); if (s->cert == NULL) { - SSLerr(SSL_F_SSL3_ACCEPT, - SSL_R_NO_CERTIFICATE_SET); - return (-1); + SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET); + ret = -1; + goto end; } for (;;) { @@ -211,9 +211,9 @@ ssl3_accept(SSL *s) cb(s, SSL_CB_HANDSHAKE_START, 1); if ((s->version >> 8) != 3) { - SSLerr(SSL_F_SSL3_ACCEPT, - ERR_R_INTERNAL_ERROR); - return (-1); + SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; } s->type = SSL_ST_ACCEPT; @@ -392,9 +392,12 @@ ssl3_accept(SSL *s) skip = 1; s->s3->tmp.cert_request = 0; s->state = SSL3_ST_SW_SRVR_DONE_A; - if (s->s3->handshake_buffer) - if (!tls1_digest_cached_records(s)) - return (-1); + if (s->s3->handshake_buffer) { + if (!tls1_digest_cached_records(s)) { + ret = -1; + goto end; + } + } } else { s->s3->tmp.cert_request = 1; ret = ssl3_send_certificate_request(s); @@ -482,11 +485,14 @@ ssl3_accept(SSL *s) if (!s->s3->handshake_buffer) { SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); - return (-1); + ret = -1; + goto end; } s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; - if (!tls1_digest_cached_records(s)) - return (-1); + if (!tls1_digest_cached_records(s)) { + ret = -1; + goto end; + } } else { int offset = 0; int dgst_num; @@ -501,9 +507,12 @@ ssl3_accept(SSL *s) * CertificateVerify should be generalized. * But it is next step */ - if (s->s3->handshake_buffer) - if (!tls1_digest_cached_records(s)) - return (-1); + if (s->s3->handshake_buffer) { + if (!tls1_digest_cached_records(s)) { + ret = -1; + goto end; + } + } for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++) if (s->s3->handshake_dgst[dgst_num]) { |