[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Sat May 30 16:28:21 UTC 2015
The branch master has been updated
via e0f9bf1de72e2717a5e8c2126259959e2d650777 (commit)
from 6218a1f57e7e25a6b9a798f00cf5f0e56a02ff31 (commit)
- Log -----------------------------------------------------------------
commit e0f9bf1de72e2717a5e8c2126259959e2d650777
Author: Rich Salz <rsalz at akamai.com>
Date: Fri May 29 12:22:43 2015 -0400
clear/cleanse cleanup
Where we called openssl_cleanse, make sure we do it on all error
paths. Be consistent in use of sizeof(foo) when possible.
Reviewed-by: Andy Polyakov <appro at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_enc.c | 10 ++++++----
ssl/s3_srvr.c | 3 +--
ssl/t1_enc.c | 12 +++++++-----
3 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index ea9042b..dd93e25 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -206,7 +206,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
km += MD5_DIGEST_LENGTH;
}
- OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
+ OPENSSL_cleanse(smd, sizeof(smd));
EVP_MD_CTX_cleanup(&m5);
EVP_MD_CTX_cleanup(&s1);
return 1;
@@ -388,13 +388,15 @@ int ssl3_change_cipher_state(SSL *s, int which)
}
#endif
- OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
- OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
+ OPENSSL_cleanse(exp_key, sizeof(exp_key));
+ OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
EVP_MD_CTX_cleanup(&md);
return (1);
err:
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
err2:
+ OPENSSL_cleanse(exp_key, sizeof(exp_key));
+ OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
return (0);
}
@@ -687,7 +689,7 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
s, s->msg_callback_arg);
}
#endif
- OPENSSL_cleanse(buf, sizeof buf);
+ OPENSSL_cleanse(buf, sizeof(buf));
return (ret);
}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 68234ec..88e649d 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2238,7 +2238,6 @@ int ssl3_get_client_key_exchange(SSL *s)
BIGNUM *pub = NULL;
DH *dh_srvr, *dh_clnt = NULL;
#endif
-
#ifndef OPENSSL_NO_EC
EC_KEY *srvr_ecdh = NULL;
EVP_PKEY *clnt_pub_pkey = NULL;
@@ -2676,7 +2675,7 @@ int ssl3_get_client_key_exchange(SSL *s)
psk_len = s->psk_server_callback(s, tmp_id,
psk_or_pre_ms,
sizeof(psk_or_pre_ms));
- OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
+ OPENSSL_cleanse(tmp_id, sizeof(tmp_id));
if (psk_len > PSK_MAX_PSK_LEN) {
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 8c53aa8..e410ff7 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -563,6 +563,10 @@ int tls1_change_cipher_state(SSL *s, int which)
err:
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
err2:
+ OPENSSL_cleanse(tmp1, sizeof(tmp1));
+ OPENSSL_cleanse(tmp2, sizeof(tmp1));
+ OPENSSL_cleanse(iv1, sizeof(iv1));
+ OPENSSL_cleanse(iv2, sizeof(iv2));
return (0);
}
@@ -721,7 +725,7 @@ int tls1_final_finish_mac(SSL *s, const char *str, int slen,
return 0;
OPENSSL_cleanse(hash, hashlen);
OPENSSL_cleanse(buf2, sizeof(buf2));
- return sizeof buf2;
+ return sizeof(buf2);
}
int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
@@ -871,8 +875,6 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
NULL, 0,
s->session->master_key, s->session->master_key_length,
out, buff, olen);
- OPENSSL_cleanse(val, vallen);
- OPENSSL_cleanse(buff, olen);
goto ret;
err1:
@@ -884,8 +886,8 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
rv = 0;
ret:
- OPENSSL_free(buff);
- OPENSSL_free(val);
+ CRYPTO_clear_free(val, vallen);
+ CRYPTO_clear_free(buff, olen);
return (rv);
}
More information about the openssl-commits
mailing list