OpenCoverage

tls.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/libressl/src/tls/tls.c

Source code

Switch to Preprocessed file

Line Source Count

1 /* $OpenBSD: tls.c,v 1.80 2018/04/07 16:30:59 jsing Exp $ */ -

2 /* -

4 * -

5 * Permission to use, copy, modify, and distribute this software for any -

6 * purpose with or without fee is hereby granted, provided that the above -

7 * copyright notice and this permission notice appear in all copies. -

8 * -

9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -

10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -

11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -

12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -

13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -

14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -

15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -

16 */ -

17 -

18 #include <sys/socket.h> -

19 -

20 #include <errno.h> -

21 #include <limits.h> -

22 #include <pthread.h> -

23 #include <stdlib.h> -

24 #include <unistd.h> -

25 -

26 #include <openssl/bio.h> -

27 #include <openssl/err.h> -

28 #include <openssl/evp.h> -

29 #include <openssl/pem.h> -

30 #include <openssl/safestack.h> -

31 #include <openssl/ssl.h> -

32 #include <openssl/x509.h> -

33 -

34 #include <tls.h> -

35 #include "tls_internal.h" -

36 -

37 static struct tls_config *tls_config_default; -

38 -

39 static int tls_init_rv = -1; -

40 -

41 static void -

42 tls_do_init(void) -

43 { -

44 OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_CONFIG, NULL); -

45 -

if (BIO_sock_init() != 1)

BIO_sock_init() != 1	Description
TRUE	never evaluated
FALSE	evaluated 3 times by 3 tests Evaluated by: configtest tlstest verifytest

0-3

return;

never executed: return;

48 -

if ((tls_config_default = tls_config_new_internal()) == NULL)

(tls_config_de...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 3 times by 3 tests Evaluated by: configtest tlstest verifytest

0-3

return;

never executed: return;

51 -

52 tls_config_default->refcount++; -

53 -

54 tls_init_rv = 0; -

}

executed 3 times by 3 tests: end of block

Executed by:

configtest
tlstest
verifytest

56 -

57 int -

58 tls_init(void) -

59 { -

60 static pthread_once_t once = PTHREAD_ONCE_INIT; -

61 -

if (pthread_once(&once, tls_do_init) != 0)

pthread_once(&..._do_init) != 0	Description
TRUE	never evaluated
FALSE	evaluated 38 times by 3 tests Evaluated by: configtest tlstest verifytest

0-38

return -1;

never executed: return -1;

64 -

return tls_init_rv;

executed 38 times by 3 tests: return tls_init_rv;

Executed by:

configtest
tlstest
verifytest

66 } -

67 -

68 const char * -

69 tls_error(struct tls *ctx) -

70 { -

return ctx->error.msg;

never executed: return ctx->error.msg;

72 } -

73 -

74 void -

75 tls_error_clear(struct tls_error *error) -

76 { -

77 free(error->msg); -

78 error->msg = NULL; -

79 error->num = 0; -

80 error->tls = 0; -

}

executed 53 times by 2 tests: end of block

Executed by:

tlstest
verifytest

82 -

83 static int -

84 tls_error_vset(struct tls_error *error, int errnum, const char *fmt, va_list ap) -

85 { -

86 char *errmsg = NULL; -

87 int rv = -1; -

88 -

89 tls_error_clear(error); -

90 -

91 error->num = errnum; -

92 error->tls = 1; -

93 -

if (vasprintf(&errmsg, fmt, ap) == -1) {

vasprintf(&err...fmt, ap) == -1	Description
TRUE	never evaluated
FALSE	evaluated 14 times by 2 tests Evaluated by: tlstest verifytest

0-14

95 errmsg = NULL; -

goto err;

never executed: goto err;

97 } -

98 -

if (errnum == -1) {

errnum == -1	Description
TRUE	evaluated 14 times by 2 tests Evaluated by: tlstest verifytest
FALSE	never evaluated

0-14

100 error->msg = errmsg; -

101

return (0);

executed 14 times by 2 tests: return (0);

Executed by:

tlstest
verifytest

102 } -

103 -

104

if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {

asprintf(&erro...errnum)) == -1	Description
TRUE	never evaluated
FALSE	never evaluated

105 error->msg = NULL; -

106

goto err;

never executed: goto err;

107 } -

108 rv = 0; -

109 -

110

err:

code before this statement never executed: err:

111 free(errmsg); -

112 -

113

return (rv);

never executed: return (rv);

114 } -

115 -

116 int -

117 tls_error_set(struct tls_error *error, const char *fmt, ...) -

118 { -

119 va_list ap; -

120 int errnum, rv; -

121 -

122 errnum = errno; -

123 -

124 va_start(ap, fmt); -

125 rv = tls_error_vset(error, errnum, fmt, ap); -

126 va_end(ap); -

127 -

128

return (rv);

never executed: return (rv);

129 } -

130 -

131 int -

132 tls_error_setx(struct tls_error *error, const char *fmt, ...) -

133 { -

134 va_list ap; -

135 int rv; -

136 -

137 va_start(ap, fmt); -

138 rv = tls_error_vset(error, -1, fmt, ap); -

139 va_end(ap); -

140 -

141

return (rv);

never executed: return (rv);

142 } -

143 -

144 int -

145 tls_config_set_error(struct tls_config *config, const char *fmt, ...) -

146 { -

147 va_list ap; -

148 int errnum, rv; -

149 -

150 errnum = errno; -

151 -

152 va_start(ap, fmt); -

153 rv = tls_error_vset(&config->error, errnum, fmt, ap); -

154 va_end(ap); -

155 -

156

return (rv);

never executed: return (rv);

157 } -

158 -

159 int -

160 tls_config_set_errorx(struct tls_config *config, const char *fmt, ...) -

161 { -

162 va_list ap; -

163 int rv; -

164 -

165 va_start(ap, fmt); -

166 rv = tls_error_vset(&config->error, -1, fmt, ap); -

167 va_end(ap); -

168 -

169

return (rv);

never executed: return (rv);

170 } -

171 -

172 int -

173 tls_set_error(struct tls *ctx, const char *fmt, ...) -

174 { -

175 va_list ap; -

176 int errnum, rv; -

177 -

178 errnum = errno; -

179 -

180 va_start(ap, fmt); -

181 rv = tls_error_vset(&ctx->error, errnum, fmt, ap); -

182 va_end(ap); -

183 -

184

return (rv);

never executed: return (rv);

185 } -

186 -

187 int -

188 tls_set_errorx(struct tls *ctx, const char *fmt, ...) -

189 { -

190 va_list ap; -

191 int rv; -

192 -

193 va_start(ap, fmt); -

194 rv = tls_error_vset(&ctx->error, -1, fmt, ap); -

195 va_end(ap); -

196 -

197

return (rv);

executed 14 times by 2 tests: return (rv);

Executed by:

tlstest
verifytest

198 } -

199 -

200 int -

201 tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...) -

202 { -

203 va_list ap; -

204 int rv; -

205 -

206 /* Only set an error if a more specific one does not already exist. */ -

207

if (ctx->error.tls != 0)

ctx->error.tls != 0	Description
TRUE	never evaluated
FALSE	never evaluated

208

return (0);

never executed: return (0);

209 -

210 va_start(ap, fmt); -

211 rv = tls_error_vset(&ctx->error, -1, fmt, ap); -

212 va_end(ap); -

213 -

214

return (rv);

never executed: return (rv);

215 } -

216 -

217 struct tls_sni_ctx * -

218 tls_sni_ctx_new(void) -

219 { -

220

return (calloc(1, sizeof(struct tls_sni_ctx)));

never executed: return (calloc(1, sizeof(struct tls_sni_ctx)));

221 } -

222 -

223 void -

224 tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx) -

225 { -

226

if (sni_ctx == NULL)

sni_ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

227

return;

never executed: return;

228 -

229 SSL_CTX_free(sni_ctx->ssl_ctx); -

230 X509_free(sni_ctx->ssl_cert); -

231 -

232 free(sni_ctx); -

233

}

never executed: end of block

234 -

235 struct tls * -

236 tls_new(void) -

237 { -

238 struct tls *ctx; -

239 -

240

if ((ctx = calloc(1, sizeof(*ctx))) == NULL)

(ctx = calloc(...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 36 times by 2 tests Evaluated by: tlstest verifytest

0-36

241

return (NULL);

never executed: return ( ((void *)0) );

242 -

243 tls_reset(ctx); -

244 -

245

if (tls_configure(ctx, tls_config_default) == -1) {

tls_configure(...default) == -1	Description
TRUE	never evaluated
FALSE	evaluated 36 times by 2 tests Evaluated by: tlstest verifytest

0-36

246 free(ctx); -

247

return NULL;

never executed: return ((void *)0) ;

248 } -

249 -

250

return (ctx);

executed 36 times by 2 tests: return (ctx);

Executed by:

tlstest
verifytest

251 } -

252 -

253 int -

254 tls_configure(struct tls *ctx, struct tls_config *config) -

255 { -

256

if (config == NULL)

config == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 44 times by 2 tests Evaluated by: tlstest verifytest

0-44

257

config = tls_config_default;

never executed: config = tls_config_default;

258 -

259 config->refcount++; -

260 -

261 tls_config_free(ctx->config); -

262 -

263 ctx->config = config; -

264 ctx->keypair = config->keypair; -

265 -

266

if ((ctx->flags & TLS_SERVER) != 0)

(ctx->flags & (1 << 1)) != 0	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	evaluated 40 times by 2 tests Evaluated by: tlstest verifytest

4-40

267

return (tls_configure_server(ctx));

executed 4 times by 1 test: return (tls_configure_server(ctx));

Executed by:

tlstest

268 -

269

return (0);

executed 40 times by 2 tests: return (0);

Executed by:

tlstest
verifytest

270 } -

271 -

272 int -

273 tls_cert_hash(X509 *cert, char **hash) -

274 { -

275 char d[EVP_MAX_MD_SIZE], *dhex = NULL; -

276 int dlen, rv = -1; -

277 -

278 free(*hash); -

279 *hash = NULL; -

280 -

281

if (X509_digest(cert, EVP_sha256(), d, &dlen) != 1)

X509_digest(ce...d, &dlen) != 1	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

282

goto err;

never executed: goto err;

283 -

284

if (tls_hex_string(d, dlen, &dhex, NULL) != 0)

tls_hex_string...id *)0) ) != 0	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

285

goto err;

never executed: goto err;

286 -

287

if (asprintf(hash, "SHA256:%s", dhex) == -1) {

asprintf(hash,...", dhex) == -1	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

288 *hash = NULL; -

289

goto err;

never executed: goto err;

290 } -

291 -

292 rv = 0; -

293

err:

code before this statement executed 4 times by 1 test: err:

Executed by:

tlstest

294 free(dhex); -

295 -

296

return (rv);

executed 4 times by 1 test: return (rv);

Executed by:

tlstest

297 } -

298 -

299 int -

300 tls_cert_pubkey_hash(X509 *cert, char **hash) -

301 { -

302 char d[EVP_MAX_MD_SIZE], *dhex = NULL; -

303 int dlen, rv = -1; -

304 -

305 free(*hash); -

306 *hash = NULL; -

307 -

308

if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)

X509_pubkey_di...d, &dlen) != 1	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 2 tests Evaluated by: keypairtest tlstest

0-4

309

goto err;

never executed: goto err;

310 -

311

if (tls_hex_string(d, dlen, &dhex, NULL) != 0)

tls_hex_string...id *)0) ) != 0	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 2 tests Evaluated by: keypairtest tlstest

0-4

312

goto err;

never executed: goto err;

313 -

314

if (asprintf(hash, "SHA256:%s", dhex) == -1) {

asprintf(hash,...", dhex) == -1	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 2 tests Evaluated by: keypairtest tlstest

0-4

315 *hash = NULL; -

316

goto err;

never executed: goto err;

317 } -

318 -

319 rv = 0; -

320 -

321

err:

code before this statement executed 4 times by 2 tests: err:

Executed by:

keypairtest
tlstest

322 free(dhex); -

323 -

324

return (rv);

executed 4 times by 2 tests: return (rv);

Executed by:

keypairtest
tlstest

325 } -

326 -

327 int -

328 tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, -

329 struct tls_keypair *keypair, int required) -

330 { -

331 EVP_PKEY *pkey = NULL; -

332 BIO *bio = NULL; -

333 -

334

if (!required &&

!required	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

335

keypair->cert_mem == NULL &&

keypair->cert_...== ((void *)0)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

336

keypair->key_mem == NULL)

keypair->key_m...== ((void *)0)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

337

return(0);

executed 4 times by 1 test: return(0);

Executed by:

tlstest

338 -

339

if (keypair->cert_mem != NULL) {

keypair->cert_...!= ((void *)0)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

340

if (keypair->cert_len > INT_MAX) {

keypair->cert_len > 0x7fffffff	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

341 tls_set_errorx(ctx, "certificate too long"); -

342

goto err;

never executed: goto err;

343 } -

344 -

345

if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,

SSL_CTX_use_ce...cert_len) != 1	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

346

keypair->cert_mem, keypair->cert_len) != 1) {

SSL_CTX_use_ce...cert_len) != 1	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

347 tls_set_errorx(ctx, "failed to load certificate"); -

348

goto err;

never executed: goto err;

349 } -

350

}

executed 4 times by 1 test: end of block

Executed by:

tlstest

351 -

352

if (keypair->key_mem != NULL) {

keypair->key_m...!= ((void *)0)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

353

if (keypair->key_len > INT_MAX) {

keypair->key_len > 0x7fffffff	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

354 tls_set_errorx(ctx, "key too long"); -

355

goto err;

never executed: goto err;

356 } -

357 -

358

if ((bio = BIO_new_mem_buf(keypair->key_mem,

(bio = BIO_new...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

359

keypair->key_len)) == NULL) {

(bio = BIO_new...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

360 tls_set_errorx(ctx, "failed to create buffer"); -

361

goto err;

never executed: goto err;

362 } -

363

if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,

(pkey = PEM_re...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

364

NULL)) == NULL) {

(pkey = PEM_re...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

365 tls_set_errorx(ctx, "failed to read private key"); -

366

goto err;

never executed: goto err;

367 } -

368 -

369

if (keypair->pubkey_hash != NULL) {

keypair->pubke...!= ((void *)0)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

370 RSA *rsa; -

371 /* XXX only RSA for now for relayd privsep */ -

372

if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) {

(rsa = EVP_PKE...!= ((void *)0)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

373 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash); -

374 RSA_free(rsa); -

375

}

executed 4 times by 1 test: end of block

Executed by:

tlstest

376

}

executed 4 times by 1 test: end of block

Executed by:

tlstest

377 -

378

if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {

SSL_CTX_use_Pr...tx, pkey) != 1	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

379 tls_set_errorx(ctx, "failed to load private key"); -

380

goto err;

never executed: goto err;

381 } -

382 BIO_free(bio); -

383 bio = NULL; -

384 EVP_PKEY_free(pkey); -

385 pkey = NULL; -

386

}

executed 4 times by 1 test: end of block

Executed by:

tlstest

387 -

388

if (!ctx->config->skip_private_key_check &&

!ctx->config->...vate_key_check	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

389

SSL_CTX_check_private_key(ssl_ctx) != 1) {

SSL_CTX_check_...(ssl_ctx) != 1	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

390 tls_set_errorx(ctx, "private/public key mismatch"); -

391

goto err;

never executed: goto err;

392 } -

393 -

394

return (0);

executed 4 times by 1 test: return (0);

Executed by:

tlstest

395 -

396 err: -

397 EVP_PKEY_free(pkey); -

398 BIO_free(bio); -

399 -

400

return (1);

never executed: return (1);

401 } -

402 -

403 int -

404 tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) -

405 { -

406 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); -

407 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); -

408 -

409 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); -

410 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); -

411 -

412 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); -

413 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); -

414 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); -

415 -

416

if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)

(ctx->config->...(1 << 1)) == 0	Description
TRUE	evaluated 8 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-8

417

SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);

executed 8 times by 1 test: SSL_CTX_ctrl((ssl_ctx),32,(0x04000000L), ((void *)0) );

Executed by:

tlstest

418

if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)

(ctx->config->...(1 << 2)) == 0	Description
TRUE	evaluated 8 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-8

419

SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);

executed 8 times by 1 test: SSL_CTX_ctrl((ssl_ctx),32,(0x10000000L), ((void *)0) );

Executed by:

tlstest

420

if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)

(ctx->config->...(1 << 3)) == 0	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

421

SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);

never executed: SSL_CTX_ctrl((ssl_ctx),32,(0x08000000L), ((void *)0) );

422 -

423

if (ctx->config->alpn != NULL) {

ctx->config->a...!= ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

424

if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,

SSL_CTX_set_al...alpn_len) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

425

ctx->config->alpn_len) != 0) {

SSL_CTX_set_al...alpn_len) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

426 tls_set_errorx(ctx, "failed to set alpn"); -

427

goto err;

never executed: goto err;

428 } -

429

}

never executed: end of block

430 -

431

if (ctx->config->ciphers != NULL) {

ctx->config->c...!= ((void *)0)	Description
TRUE	evaluated 8 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-8

432

if (SSL_CTX_set_cipher_list(ssl_ctx,

SSL_CTX_set_ci...>ciphers) != 1	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

433

ctx->config->ciphers) != 1) {

SSL_CTX_set_ci...>ciphers) != 1	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

434 tls_set_errorx(ctx, "failed to set ciphers"); -

435

goto err;

never executed: goto err;

436 } -

437

}

executed 8 times by 1 test: end of block

Executed by:

tlstest

438 -

439

if (ctx->config->verify_time == 0) {

ctx->config->verify_time == 0	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

440 X509_VERIFY_PARAM_set_flags(ssl_ctx->param, -

441 X509_V_FLAG_NO_CHECK_TIME); -

442

}

never executed: end of block

443 -

444 /* Disable any form of session caching by default */ -

445 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF); -

446 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET); -

447 -

448

return (0);

executed 8 times by 1 test: return (0);

Executed by:

tlstest

449 -

450 err: -

451

return (-1);

never executed: return (-1);

452 } -

453 -

454 static int -

455 tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg) -

456 { -

457 struct tls *ctx = arg; -

458 int x509_err; -

459 -

460

if (ctx->config->verify_cert == 0)

ctx->config->verify_cert == 0	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

461

return (1);

never executed: return (1);

462 -

463

if ((X509_verify_cert(x509_ctx)) < 0) {

(X509_verify_c...x509_ctx)) < 0	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

464 tls_set_errorx(ctx, "X509 verify cert failed"); -

465

return (0);

never executed: return (0);

466 } -

467 -

468 x509_err = X509_STORE_CTX_get_error(x509_ctx); -

469

if (x509_err == X509_V_OK)

x509_err == 0	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

470

return (1);

executed 4 times by 1 test: return (1);

Executed by:

tlstest

471 -

472 tls_set_errorx(ctx, "certificate verification failed: %s", -

473 X509_verify_cert_error_string(x509_err)); -

474 -

475

return (0);

never executed: return (0);

476 } -

477 -

478 int -

479 tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) -

480 { -

481 size_t ca_len = ctx->config->ca_len; -

482 char *ca_mem = ctx->config->ca_mem; -

483 char *crl_mem = ctx->config->crl_mem; -

484 size_t crl_len = ctx->config->crl_len; -

485 char *ca_free = NULL; -

486 STACK_OF(X509_INFO) *xis = NULL; -

487 X509_STORE *store; -

488 X509_INFO *xi; -

489 BIO *bio = NULL; -

490 int rv = -1; -

491 int i; -

492 -

493 SSL_CTX_set_verify(ssl_ctx, verify, NULL); -

494 SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx); -

495 -

496

if (ctx->config->verify_depth >= 0)

ctx->config->verify_depth >= 0	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

497

SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);

executed 4 times by 1 test: SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);

Executed by:

tlstest

498 -

499

if (ctx->config->verify_cert == 0)

ctx->config->verify_cert == 0	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

500

goto done;

never executed: goto done;

501 -

502 /* If no CA has been specified, attempt to load the default. */ -

503

if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {

ctx->config->c...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

ctx->config->c...== ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

0-4

504

if (tls_config_load_file(&ctx->error, "CA", _PATH_SSL_CA_FILE,

tls_config_loa... &ca_len) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

505

&ca_mem, &ca_len) != 0)

tls_config_loa... &ca_len) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

506

goto err;

never executed: goto err;

507 ca_free = ca_mem; -

508

}

never executed: end of block

509 -

510

if (ca_mem != NULL) {

ca_mem != ((void *)0)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-4

511

if (ca_len > INT_MAX) {

ca_len > 0x7fffffff	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

512 tls_set_errorx(ctx, "ca too long"); -

513

goto err;

never executed: goto err;

514 } -

515

if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {

SSL_CTX_load_v..., ca_len) != 1	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

516 tls_set_errorx(ctx, "ssl verify memory setup failure"); -

517

goto err;

never executed: goto err;

518 } -

519

} else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,

executed 4 times by 1 test: end of block

Executed by:

tlstest

SSL_CTX_load_v...>ca_path) != 1	Description
TRUE	never evaluated
FALSE	never evaluated

0-4

520

ctx->config->ca_path) != 1) {

SSL_CTX_load_v...>ca_path) != 1	Description
TRUE	never evaluated
FALSE	never evaluated

521 tls_set_errorx(ctx, "ssl verify locations failure"); -

522

goto err;

never executed: goto err;

523 } -

524 -

525

if (crl_mem != NULL) {

crl_mem != ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: tlstest

0-4

526

if (crl_len > INT_MAX) {

crl_len > 0x7fffffff	Description
TRUE	never evaluated
FALSE	never evaluated

527 tls_set_errorx(ctx, "crl too long"); -

528

goto err;

never executed: goto err;

529 } -

530

if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {

(bio = BIO_new...== ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

531 tls_set_errorx(ctx, "failed to create buffer"); -

532

goto err;

never executed: goto err;

533 } -

534

if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb,

(xis = PEM_X50...== ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

535

NULL)) == NULL) {

(xis = PEM_X50...== ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

536 tls_set_errorx(ctx, "failed to parse crl"); -

537

goto err;

never executed: goto err;

538 } -

539 store = SSL_CTX_get_cert_store(ssl_ctx); -

540

for (i = 0; i < sk_X509_INFO_num(xis); i++) {

i < sk_num(((_...509_INFO*)0)))	Description
TRUE	never evaluated
FALSE	never evaluated

541 xi = sk_X509_INFO_value(xis, i); -

542

if (xi->crl == NULL)

xi->crl == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

543

continue;

never executed: continue;

544

if (!X509_STORE_add_crl(store, xi->crl)) {

!X509_STORE_ad...tore, xi->crl)	Description
TRUE	never evaluated
FALSE	never evaluated

545 tls_set_error(ctx, "failed to add crl"); -

546

goto err;

never executed: goto err;

547 } -

548 xi->crl = NULL; -

549

}

never executed: end of block

550 X509_VERIFY_PARAM_set_flags(store->param, -

551 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); -

552

}

never executed: end of block

553 -

554

done:

code before this statement executed 4 times by 1 test: done:

Executed by:

tlstest

555 rv = 0; -

556 -

557

err:

code before this statement executed 4 times by 1 test: err:

Executed by:

tlstest

558 sk_X509_INFO_pop_free(xis, X509_INFO_free); -

559 BIO_free(bio); -

560 free(ca_free); -

561 -

562

return (rv);

executed 4 times by 1 test: return (rv);

Executed by:

tlstest

563 } -

564 -

565 void -

566 tls_free(struct tls *ctx) -

567 { -

568

if (ctx == NULL)

ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 36 times by 2 tests Evaluated by: tlstest verifytest

0-36

569

return;

never executed: return;

570 -

571 tls_reset(ctx); -

572 -

573 free(ctx); -

574

}

executed 36 times by 2 tests: end of block

Executed by:

tlstest
verifytest

575 -

576 void -

577 tls_reset(struct tls *ctx) -

578 { -

579 struct tls_sni_ctx *sni, *nsni; -

580 -

581 tls_config_free(ctx->config); -

582 ctx->config = NULL; -

583 -

584 SSL_CTX_free(ctx->ssl_ctx); -

585 SSL_free(ctx->ssl_conn); -

586 X509_free(ctx->ssl_peer_cert); -

587 -

588 ctx->ssl_conn = NULL; -

589 ctx->ssl_ctx = NULL; -

590 ctx->ssl_peer_cert = NULL; -

591 /* X509 objects in chain are freed with the SSL */ -

592 ctx->ssl_peer_chain = NULL; -

593 -

594 ctx->socket = -1; -

595 ctx->state = 0; -

596 -

597 free(ctx->servername); -

598 ctx->servername = NULL; -

599 -

600 free(ctx->error.msg); -

601 ctx->error.msg = NULL; -

602 ctx->error.num = -1; -

603 -

604 tls_conninfo_free(ctx->conninfo); -

605 ctx->conninfo = NULL; -

606 -

607 tls_ocsp_free(ctx->ocsp); -

608 ctx->ocsp = NULL; -

609 -

610

for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {

sni != ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 78 times by 2 tests Evaluated by: tlstest verifytest

0-78

611 nsni = sni->next; -

612 tls_sni_ctx_free(sni); -

613

}

never executed: end of block

614 ctx->sni_ctx = NULL; -

615 -

616 ctx->read_cb = NULL; -

617 ctx->write_cb = NULL; -

618 ctx->cb_arg = NULL; -

619

}

executed 78 times by 2 tests: end of block

Executed by:

tlstest
verifytest

620 -

621 int -

622 tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix) -

623 { -

624 const char *errstr = "unknown error"; -

625 unsigned long err; -

626 int ssl_err; -

627 -

628 ssl_err = SSL_get_error(ssl_conn, ssl_ret); -

629 switch (ssl_err) { -

630

case SSL_ERROR_NONE:

never executed: case 0:

631

case SSL_ERROR_ZERO_RETURN:

never executed: case 6:

632

return (0);

never executed: return (0);

633 -

634

case SSL_ERROR_WANT_READ:

executed 16 times by 1 test: case 2:

Executed by:

tlstest

635

return (TLS_WANT_POLLIN);

executed 16 times by 1 test: return (-2);

Executed by:

tlstest

636 -

637

case SSL_ERROR_WANT_WRITE:

executed 4 times by 1 test: case 3:

Executed by:

tlstest

638

return (TLS_WANT_POLLOUT);

executed 4 times by 1 test: return (-3);

Executed by:

tlstest

639 -

640

case SSL_ERROR_SYSCALL:

never executed: case 5:

641

if ((err = ERR_peek_error()) != 0) {

(err = ERR_peek_error()) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

642 errstr = ERR_error_string(err, NULL); -

643

} else if (ssl_ret == 0) {

never executed: end of block

ssl_ret == 0	Description
TRUE	never evaluated
FALSE	never evaluated

644

if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {

(ctx->state & (1 << 2)) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

645 ctx->state |= TLS_EOF_NO_CLOSE_NOTIFY; -

646

return (0);

never executed: return (0);

647 } -

648 errstr = "unexpected EOF"; -

649

} else if (ssl_ret == -1) {

never executed: end of block

ssl_ret == -1	Description
TRUE	never evaluated
FALSE	never evaluated

650 errstr = strerror(errno); -

651

}

never executed: end of block

652 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr); -

653

return (-1);

never executed: return (-1);

654 -

655

case SSL_ERROR_SSL:

never executed: case 1:

656

if ((err = ERR_peek_error()) != 0) {

(err = ERR_peek_error()) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

657 errstr = ERR_error_string(err, NULL); -

658

}

never executed: end of block

659 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr); -

660

return (-1);

never executed: return (-1);

661 -

662

case SSL_ERROR_WANT_CONNECT:

never executed: case 7:

663

case SSL_ERROR_WANT_ACCEPT:

never executed: case 8:

664

case SSL_ERROR_WANT_X509_LOOKUP:

never executed: case 4:

665

default:

never executed: default:

666 tls_set_ssl_errorx(ctx, "%s failed (%i)", prefix, ssl_err); -

667

return (-1);

never executed: return (-1);

668 } -

669 } -

670 -

671 int -

672 tls_handshake(struct tls *ctx) -

673 { -

674 int rv = -1; -

675 -

676 tls_error_clear(&ctx->error); -

677 -

678

if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {

(ctx->flags & ...1 << 2))) == 0	Description
TRUE	never evaluated
FALSE	evaluated 31 times by 1 test Evaluated by: tlstest

0-31

679 tls_set_errorx(ctx, "invalid operation for context"); -

680

goto out;

never executed: goto out;

681 } -

682 -

683

if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {

(ctx->state & (1 << 2)) != 0	Description
TRUE	evaluated 2 times by 1 test Evaluated by: tlstest
FALSE	evaluated 29 times by 1 test Evaluated by: tlstest

2-29

684 tls_set_errorx(ctx, "handshake already completed"); -

685

goto out;

executed 2 times by 1 test: goto out;

Executed by:

tlstest

686 } -

687 -

688

if ((ctx->flags & TLS_CLIENT) != 0)

(ctx->flags & (1 << 0)) != 0	Description
TRUE	evaluated 17 times by 1 test Evaluated by: tlstest
FALSE	evaluated 12 times by 1 test Evaluated by: tlstest

12-17

689

rv = tls_handshake_client(ctx);

executed 17 times by 1 test: rv = tls_handshake_client(ctx);

Executed by:

tlstest

690

else if ((ctx->flags & TLS_SERVER_CONN) != 0)

(ctx->flags & (1 << 2)) != 0	Description
TRUE	evaluated 12 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-12

691

rv = tls_handshake_server(ctx);

executed 12 times by 1 test: rv = tls_handshake_server(ctx);

Executed by:

tlstest

692 -

693

if (rv == 0) {

rv == 0	Description
TRUE	evaluated 8 times by 1 test Evaluated by: tlstest
FALSE	evaluated 21 times by 1 test Evaluated by: tlstest

8-21

694 ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn); -

695 ctx->ssl_peer_chain = SSL_get_peer_cert_chain(ctx->ssl_conn); -

696

if (tls_conninfo_populate(ctx) == -1)

tls_conninfo_p...ate(ctx) == -1	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

697

rv = -1;

never executed: rv = -1;

698

if (ctx->ocsp == NULL)

ctx->ocsp == ((void *)0)	Description
TRUE	evaluated 8 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-8

699

ctx->ocsp = tls_ocsp_setup_from_peer(ctx);

executed 8 times by 1 test: ctx->ocsp = tls_ocsp_setup_from_peer(ctx);

Executed by:

tlstest

700

}

executed 8 times by 1 test: end of block

Executed by:

tlstest

701

out:

code before this statement executed 29 times by 1 test: out:

Executed by:

tlstest

702 /* Prevent callers from performing incorrect error handling */ -

703 errno = 0; -

704

return (rv);

executed 31 times by 1 test: return (rv);

Executed by:

tlstest

705 } -

706 -

707 ssize_t -

708 tls_read(struct tls *ctx, void *buf, size_t buflen) -

709 { -

710 ssize_t rv = -1; -

711 int ssl_ret; -

712 -

713 tls_error_clear(&ctx->error); -

714 -

715

if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {

(ctx->state & (1 << 2)) == 0	Description
TRUE	never evaluated
FALSE	never evaluated

716

if ((rv = tls_handshake(ctx)) != 0)

(rv = tls_handshake(ctx)) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

717

goto out;

never executed: goto out;

718

}

never executed: end of block

719 -

720

if (buflen > INT_MAX) {

buflen > 0x7fffffff	Description
TRUE	never evaluated
FALSE	never evaluated

721 tls_set_errorx(ctx, "buflen too long"); -

722

goto out;

never executed: goto out;

723 } -

724 -

725 ERR_clear_error(); -

726

if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {

(ssl_ret = SSL..., buflen)) > 0	Description
TRUE	never evaluated
FALSE	never evaluated

727 rv = (ssize_t)ssl_ret; -

728

goto out;

never executed: goto out;

729 } -

730 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read"); -

731 -

732

out:

code before this statement never executed: out:

733 /* Prevent callers from performing incorrect error handling */ -

734 errno = 0; -

735

return (rv);

never executed: return (rv);

736 } -

737 -

738 ssize_t -

739 tls_write(struct tls *ctx, const void *buf, size_t buflen) -

740 { -

741 ssize_t rv = -1; -

742 int ssl_ret; -

743 -

744 tls_error_clear(&ctx->error); -

745 -

746

if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {

(ctx->state & (1 << 2)) == 0	Description
TRUE	never evaluated
FALSE	never evaluated

747

if ((rv = tls_handshake(ctx)) != 0)

(rv = tls_handshake(ctx)) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

748

goto out;

never executed: goto out;

749

}

never executed: end of block

750 -

751

if (buflen > INT_MAX) {

buflen > 0x7fffffff	Description
TRUE	never evaluated
FALSE	never evaluated

752 tls_set_errorx(ctx, "buflen too long"); -

753

goto out;

never executed: goto out;

754 } -

755 -

756 ERR_clear_error(); -

757

if ((ssl_ret = SSL_write(ctx->ssl_conn, buf, buflen)) > 0) {

(ssl_ret = SSL..., buflen)) > 0	Description
TRUE	never evaluated
FALSE	never evaluated

758 rv = (ssize_t)ssl_ret; -

759

goto out;

never executed: goto out;

760 } -

761 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "write"); -

762 -

763

out:

code before this statement never executed: out:

764 /* Prevent callers from performing incorrect error handling */ -

765 errno = 0; -

766

return (rv);

never executed: return (rv);

767 } -

768 -

769 int -

770 tls_close(struct tls *ctx) -

771 { -

772 int ssl_ret; -

773 int rv = 0; -

774 -

775 tls_error_clear(&ctx->error); -

776 -

777

if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {

(ctx->flags & ...1 << 2))) == 0	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

778 tls_set_errorx(ctx, "invalid operation for context"); -

779 rv = -1; -

780

goto out;

never executed: goto out;

781 } -

782 -

783

if (ctx->state & TLS_SSL_NEEDS_SHUTDOWN) {

ctx->state & (1 << 3)	Description
TRUE	evaluated 8 times by 1 test Evaluated by: tlstest
FALSE	never evaluated

0-8

784 ERR_clear_error(); -

785 ssl_ret = SSL_shutdown(ctx->ssl_conn); -

786

if (ssl_ret < 0) {

ssl_ret < 0	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

787 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, -

788 "shutdown"); -

789

if (rv == TLS_WANT_POLLIN || rv == TLS_WANT_POLLOUT)

rv == -2	Description
TRUE	never evaluated
FALSE	never evaluated

rv == -3	Description
TRUE	never evaluated
FALSE	never evaluated

790

goto out;

never executed: goto out;

791

}

never executed: end of block

792 ctx->state &= ~TLS_SSL_NEEDS_SHUTDOWN; -

793

}

executed 8 times by 1 test: end of block

Executed by:

tlstest

794 -

795

if (ctx->socket != -1) {

ctx->socket != -1	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

796

if (shutdown(ctx->socket, SHUT_RDWR) != 0) {

shutdown(ctx->...UT_RDWR ) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

797

if (rv == 0 &&

rv == 0	Description
TRUE	never evaluated
FALSE	never evaluated

798

errno != ENOTCONN && errno != ECONNRESET) {

(*__errno_location ()) != 107	Description
TRUE	never evaluated
FALSE	never evaluated

(*__errno_location ()) != 104	Description
TRUE	never evaluated
FALSE	never evaluated

799 tls_set_error(ctx, "shutdown"); -

800 rv = -1; -

801

}

never executed: end of block

802

}

never executed: end of block

803

if (close(ctx->socket) != 0) {

close(ctx->socket) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

804

if (rv == 0) {

rv == 0	Description
TRUE	never evaluated
FALSE	never evaluated

805 tls_set_error(ctx, "close"); -

806 rv = -1; -

807

}

never executed: end of block

808

}

never executed: end of block

809 ctx->socket = -1; -

810

}

never executed: end of block

811 -

812

if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) {

(ctx->state & (1 << 0)) != 0	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: tlstest

0-8

813 tls_set_errorx(ctx, "EOF without close notify"); -

814 rv = -1; -

815

}

never executed: end of block

816 -

817

out:

code before this statement executed 8 times by 1 test: out:

Executed by:

tlstest

818 /* Prevent callers from performing incorrect error handling */ -

819 errno = 0; -

820

return (rv);

executed 8 times by 1 test: return (rv);

Executed by:

tlstest

821 } -

Source code

Switch to Preprocessed file

Generated by Squish Coco 4.2.2