[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Sat May 30 16:28:21 UTC 2015


The branch master has been updated
       via  e0f9bf1de72e2717a5e8c2126259959e2d650777 (commit)
      from  6218a1f57e7e25a6b9a798f00cf5f0e56a02ff31 (commit)


- Log -----------------------------------------------------------------
commit e0f9bf1de72e2717a5e8c2126259959e2d650777
Author: Rich Salz <rsalz at akamai.com>
Date:   Fri May 29 12:22:43 2015 -0400

    clear/cleanse cleanup
    
    Where we called openssl_cleanse, make sure we do it on all error
    paths.  Be consistent in use of sizeof(foo) when possible.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_enc.c  | 10 ++++++----
 ssl/s3_srvr.c |  3 +--
 ssl/t1_enc.c  | 12 +++++++-----
 3 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index ea9042b..dd93e25 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -206,7 +206,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 
         km += MD5_DIGEST_LENGTH;
     }
-    OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
+    OPENSSL_cleanse(smd, sizeof(smd));
     EVP_MD_CTX_cleanup(&m5);
     EVP_MD_CTX_cleanup(&s1);
     return 1;
@@ -388,13 +388,15 @@ int ssl3_change_cipher_state(SSL *s, int which)
     }
 #endif
 
-    OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
-    OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
+    OPENSSL_cleanse(exp_key, sizeof(exp_key));
+    OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
     EVP_MD_CTX_cleanup(&md);
     return (1);
  err:
     SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
  err2:
+    OPENSSL_cleanse(exp_key, sizeof(exp_key));
+    OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
     return (0);
 }
 
@@ -687,7 +689,7 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
                         s, s->msg_callback_arg);
     }
 #endif
-    OPENSSL_cleanse(buf, sizeof buf);
+    OPENSSL_cleanse(buf, sizeof(buf));
     return (ret);
 }
 
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 68234ec..88e649d 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2238,7 +2238,6 @@ int ssl3_get_client_key_exchange(SSL *s)
     BIGNUM *pub = NULL;
     DH *dh_srvr, *dh_clnt = NULL;
 #endif
-
 #ifndef OPENSSL_NO_EC
     EC_KEY *srvr_ecdh = NULL;
     EVP_PKEY *clnt_pub_pkey = NULL;
@@ -2676,7 +2675,7 @@ int ssl3_get_client_key_exchange(SSL *s)
         psk_len = s->psk_server_callback(s, tmp_id,
                                          psk_or_pre_ms,
                                          sizeof(psk_or_pre_ms));
-        OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
+        OPENSSL_cleanse(tmp_id, sizeof(tmp_id));
 
         if (psk_len > PSK_MAX_PSK_LEN) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 8c53aa8..e410ff7 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -563,6 +563,10 @@ int tls1_change_cipher_state(SSL *s, int which)
  err:
     SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
  err2:
+    OPENSSL_cleanse(tmp1, sizeof(tmp1));
+    OPENSSL_cleanse(tmp2, sizeof(tmp1));
+    OPENSSL_cleanse(iv1, sizeof(iv1));
+    OPENSSL_cleanse(iv2, sizeof(iv2));
     return (0);
 }
 
@@ -721,7 +725,7 @@ int tls1_final_finish_mac(SSL *s, const char *str, int slen,
         return 0;
     OPENSSL_cleanse(hash, hashlen);
     OPENSSL_cleanse(buf2, sizeof(buf2));
-    return sizeof buf2;
+    return sizeof(buf2);
 }
 
 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
@@ -871,8 +875,6 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
                   NULL, 0,
                   s->session->master_key, s->session->master_key_length,
                   out, buff, olen);
-    OPENSSL_cleanse(val, vallen);
-    OPENSSL_cleanse(buff, olen);
 
     goto ret;
  err1:
@@ -884,8 +886,8 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
     SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
     rv = 0;
  ret:
-    OPENSSL_free(buff);
-    OPENSSL_free(val);
+    CRYPTO_clear_free(val, vallen);
+    CRYPTO_clear_free(buff, olen);
     return (rv);
 }
 


More information about the openssl-commits mailing list