From e3760ba71046b20fc9304b4e56b3193d9dec8e0f Mon Sep 17 00:00:00 2001 From: Aaron Jones Date: Wed, 27 Apr 2016 21:43:54 +0000 Subject: [PATCH] [TLS backends] Miscellaneous fixes * Certificate fingerprint length functions return an "int", so use an int when calculating the length * Clean up the OpenSSL certificate fingerprint if() and indentation mess --- librb/src/gnutls.c | 4 ++-- librb/src/mbedtls.c | 2 +- librb/src/openssl.c | 38 ++++++++++++++++++++------------------ 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/librb/src/gnutls.c b/librb/src/gnutls.c index cea17d805..9216b08e4 100644 --- a/librb/src/gnutls.c +++ b/librb/src/gnutls.c @@ -602,14 +602,14 @@ rb_get_ssl_strerror(rb_fde_t *F) return gnutls_strerror(F->ssl_errno); } -static unsigned int +static int make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) { gnutls_digest_algorithm_t algo; uint8_t digest[RB_SSL_CERTFP_LEN * 2]; size_t digest_size; bool spki = false; - unsigned int len; + int len; switch(method) { diff --git a/librb/src/mbedtls.c b/librb/src/mbedtls.c index c2d4ba02e..9f6bc65da 100644 --- a/librb/src/mbedtls.c +++ b/librb/src/mbedtls.c @@ -544,7 +544,7 @@ make_certfp(const mbedtls_x509_crt *peer_cert, uint8_t certfp[RB_SSL_CERTFP_LEN] mbedtls_md_type_t md_type; bool spki = false; int ret; - size_t len; + int len; switch (method) { diff --git a/librb/src/openssl.c b/librb/src/openssl.c index bc44260eb..2b53f3371 100644 --- a/librb/src/openssl.c +++ b/librb/src/openssl.c @@ -710,13 +710,13 @@ rb_get_ssl_strerror(rb_fde_t *F) return get_ssl_error(F->ssl_errno); } -static unsigned int +static int make_certfp(X509 *cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) { const ASN1_ITEM *it; const EVP_MD *evp; void *data; - unsigned int len; + int len; switch(method) { @@ -762,6 +762,7 @@ make_certfp(X509 *cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) { + int len = 0; X509 *cert; int res; @@ -769,25 +770,26 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) return 0; cert = SSL_get_peer_certificate((SSL *) F->ssl); - if(cert != NULL) + if(cert == NULL) + return 0; + + res = SSL_get_verify_result((SSL *) F->ssl); + switch(res) { - res = SSL_get_verify_result((SSL *) F->ssl); - if( - res == X509_V_OK || - res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || - res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || - res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || - res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || - res == X509_V_ERR_CERT_UNTRUSTED) - { - unsigned int len = make_certfp(cert, certfp, method); - X509_free(cert); - return len; - } - X509_free(cert); + case X509_V_OK: + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: + case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: + case X509_V_ERR_CERT_UNTRUSTED: + len = make_certfp(cert, certfp, method); + + default: /* to silence code inspectors */ + break; } - return 0; + X509_free(cert); + return len; } int