[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Thu Apr 30 21:58:09 UTC 2015
The branch master has been updated
via 4b45c6e52b208deff7da333d1c7f84bcd3986609 (commit)
from 68dc682499ea3fe27d909c946d7abd39062d6efd (commit)
- Log -----------------------------------------------------------------
commit 4b45c6e52b208deff7da333d1c7f84bcd3986609
Author: Rich Salz <rsalz at openssl.org>
Date: Thu Apr 30 17:57:32 2015 -0400
free cleanup almost the finale
Add OPENSSL_clear_free which merges cleanse and free.
(Names was picked to be similar to BN_clear_free, etc.)
Removed OPENSSL_freeFunc macro.
Fixed the small simple ones that are left:
CRYPTO_free CRYPTO_free_locked OPENSSL_free_locked
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/apps.c | 5 +----
apps/dgst.c | 5 +----
apps/s_client.c | 18 ++++-------------
apps/s_server.c | 5 +----
crypto/asn1/a_sign.c | 20 ++++---------------
crypto/asn1/a_verify.c | 6 ++----
crypto/bn/bn_rand.c | 5 +----
crypto/cms/cms_asn1.c | 10 ++--------
crypto/cms/cms_enc.c | 11 +++--------
crypto/cms/cms_env.c | 15 ++++----------
crypto/cms/cms_kari.c | 5 +----
crypto/cms/cms_pwri.c | 3 +--
crypto/dh/dh_pmeth.c | 5 +----
crypto/dsa/dsa_asn1.c | 5 +----
crypto/ec/ec_key.c | 4 +---
crypto/ec/ec_lib.c | 13 +++---------
crypto/ec/ec_mult.c | 3 +--
crypto/ec/ec_pmeth.c | 5 +----
crypto/ec/ecp_nistp224.c | 3 +--
crypto/ec/ecp_nistp256.c | 3 +--
crypto/ec/ecp_nistp521.c | 3 +--
crypto/ec/ecp_nistz256.c | 10 +++-------
crypto/ecdh/ech_lib.c | 5 +----
crypto/ecdsa/ecs_lib.c | 4 +---
crypto/ecdsa/ecs_vrf.c | 5 +----
crypto/engine/eng_openssl.c | 11 +++--------
crypto/evp/bio_enc.c | 3 +--
crypto/evp/bio_ok.c | 3 +--
crypto/evp/digest.c | 3 +--
crypto/evp/evp_pbe.c | 2 +-
crypto/evp/p_open.c | 4 +---
crypto/hmac/hm_pmeth.c | 8 ++------
crypto/mem.c | 12 ++++++++++--
crypto/modes/gcm128.c | 5 +----
crypto/modes/ocb128.c | 5 +----
crypto/pem/pem_lib.c | 13 +++---------
crypto/pem/pem_pkey.c | 3 +--
crypto/pem/pvkfmt.c | 5 +----
crypto/pkcs12/p12_key.c | 5 +----
crypto/pkcs7/pk7_doit.c | 48 ++++++++++++++-------------------------------
crypto/rand/rand_lib.c | 5 +----
crypto/rsa/rsa_eay.c | 20 ++++---------------
crypto/rsa/rsa_lib.c | 3 +--
crypto/rsa/rsa_saos.c | 8 ++------
crypto/rsa/rsa_sign.c | 14 ++++---------
engines/e_4758cca.c | 12 ++++--------
engines/e_sureware.c | 5 +----
include/openssl/crypto.h | 3 ++-
ssl/s3_clnt.c | 10 +++-------
ssl/s3_enc.c | 7 ++-----
ssl/s3_lib.c | 3 +--
ssl/ssl_cert.c | 7 ++-----
ssl/ssl_sess.c | 3 +--
ssl/t1_enc.c | 5 +----
ssl/tls_srp.c | 19 +++++-------------
util/libeay.num | 2 ++
56 files changed, 121 insertions(+), 311 deletions(-)
diff --git a/apps/apps.c b/apps/apps.c
index f74b968..aecd612 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -377,10 +377,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
}
while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
- if (buff) {
- OPENSSL_cleanse(buff, (unsigned int)bufsiz);
- OPENSSL_free(buff);
- }
+ OPENSSL_clear_free(buff, (unsigned int)bufsiz);
if (ok >= 0)
res = strlen(buf);
diff --git a/apps/dgst.c b/apps/dgst.c
index 3ff4750..69211d3 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -441,10 +441,7 @@ int dgst_main(int argc, char **argv)
}
}
end:
- if (buf != NULL) {
- OPENSSL_cleanse(buf, BUFSIZE);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, BUFSIZE);
BIO_free(in);
if (passin)
OPENSSL_free(passin);
diff --git a/apps/s_client.c b/apps/s_client.c
index 344c88c..e7e6684 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1994,8 +1994,7 @@ int s_client_main(int argc, char **argv)
#endif
SSL_CTX_free(ctx);
X509_free(cert);
- if (crls)
- sk_X509_CRL_pop_free(crls, X509_CRL_free);
+ sk_X509_CRL_pop_free(crls, X509_CRL_free);
EVP_PKEY_free(key);
sk_X509_pop_free(chain, X509_free);
if (pass)
@@ -2008,18 +2007,9 @@ int s_client_main(int argc, char **argv)
if (jpake_secret && psk_key)
OPENSSL_free(psk_key);
#endif
- if (cbuf != NULL) {
- OPENSSL_cleanse(cbuf, BUFSIZZ);
- OPENSSL_free(cbuf);
- }
- if (sbuf != NULL) {
- OPENSSL_cleanse(sbuf, BUFSIZZ);
- OPENSSL_free(sbuf);
- }
- if (mbuf != NULL) {
- OPENSSL_cleanse(mbuf, BUFSIZZ);
- OPENSSL_free(mbuf);
- }
+ OPENSSL_clear_free(cbuf, BUFSIZZ);
+ OPENSSL_clear_free(sbuf, BUFSIZZ);
+ OPENSSL_clear_free(mbuf, BUFSIZZ);
BIO_free(bio_c_out);
bio_c_out = NULL;
BIO_free(bio_c_msg);
diff --git a/apps/s_server.c b/apps/s_server.c
index 21d2d37..ef32d5a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2395,10 +2395,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
SSL_free(con);
}
BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
- if (buf != NULL) {
- OPENSSL_cleanse(buf, bufsize);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, bufsize);
if (ret >= 0)
BIO_printf(bio_s_out, "ACCEPT\n");
(void)BIO_flush(bio_s_out);
diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c
index 21cbe0c..fb7536d 100644
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -203,14 +203,8 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
err:
EVP_MD_CTX_cleanup(&ctx);
- if (buf_in != NULL) {
- OPENSSL_cleanse((char *)buf_in, (unsigned int)inl);
- OPENSSL_free(buf_in);
- }
- if (buf_out != NULL) {
- OPENSSL_cleanse((char *)buf_out, outll);
- OPENSSL_free(buf_out);
- }
+ OPENSSL_clear_free((char *)buf_in, (unsigned int)inl);
+ OPENSSL_clear_free((char *)buf_out, outll);
return (outl);
}
@@ -319,13 +313,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
err:
EVP_MD_CTX_cleanup(ctx);
- if (buf_in != NULL) {
- OPENSSL_cleanse((char *)buf_in, (unsigned int)inl);
- OPENSSL_free(buf_in);
- }
- if (buf_out != NULL) {
- OPENSSL_cleanse((char *)buf_out, outll);
- OPENSSL_free(buf_out);
- }
+ OPENSSL_clear_free((char *)buf_in, (unsigned int)inl);
+ OPENSSL_clear_free((char *)buf_out, outll);
return (outl);
}
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 6023b14..b452999 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -107,8 +107,7 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
ret = EVP_VerifyInit_ex(&ctx, type, NULL)
&& EVP_VerifyUpdate(&ctx, (unsigned char *)buf_in, inl);
- OPENSSL_cleanse(buf_in, (unsigned int)inl);
- OPENSSL_free(buf_in);
+ OPENSSL_clear_free(buf_in, (unsigned int)inl);
if (!ret) {
ASN1err(ASN1_F_ASN1_VERIFY, ERR_R_EVP_LIB);
@@ -208,8 +207,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
ret = EVP_DigestVerifyUpdate(&ctx, buf_in, inl);
- OPENSSL_cleanse(buf_in, (unsigned int)inl);
- OPENSSL_free(buf_in);
+ OPENSSL_clear_free(buf_in, (unsigned int)inl);
if (!ret) {
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_EVP_LIB);
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 1096464..4681154 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -187,10 +187,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
goto err;
ret = 1;
err:
- if (buf != NULL) {
- OPENSSL_cleanse(buf, bytes);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, bytes);
bn_check_top(rnd);
return (ret);
}
diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c
index 2b61768..893ad46 100644
--- a/crypto/cms/cms_asn1.c
+++ b/crypto/cms/cms_asn1.c
@@ -251,16 +251,10 @@ static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
EVP_PKEY_CTX_free(ktri->pctx);
} else if (ri->type == CMS_RECIPINFO_KEK) {
CMS_KEKRecipientInfo *kekri = ri->d.kekri;
- if (kekri->key) {
- OPENSSL_cleanse(kekri->key, kekri->keylen);
- OPENSSL_free(kekri->key);
- }
+ OPENSSL_clear_free(kekri->key, kekri->keylen);
} else if (ri->type == CMS_RECIPINFO_PASS) {
CMS_PasswordRecipientInfo *pwri = ri->d.pwri;
- if (pwri->pass) {
- OPENSSL_cleanse(pwri->pass, pwri->passlen);
- OPENSSL_free(pwri->pass);
- }
+ OPENSSL_clear_free(pwri->pass, pwri->passlen);
}
}
return 1;
diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index ffa85fc..f1ac1d5 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -164,8 +164,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
goto err;
} else {
/* Use random key */
- OPENSSL_cleanse(ec->key, ec->keylen);
- OPENSSL_free(ec->key);
+ OPENSSL_clear_free(ec->key, ec->keylen);
ec->key = tkey;
ec->keylen = tkeylen;
tkey = NULL;
@@ -196,14 +195,10 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
err:
if (ec->key && !keep_key) {
- OPENSSL_cleanse(ec->key, ec->keylen);
- OPENSSL_free(ec->key);
+ OPENSSL_clear_free(ec->key, ec->keylen);
ec->key = NULL;
}
- if (tkey) {
- OPENSSL_cleanse(tkey, tkeylen);
- OPENSSL_free(tkey);
- }
+ OPENSSL_clear_free(tkey, tkeylen);
if (ok)
return b;
BIO_free(b);
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index 98c1fe0..d146f84 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -465,11 +465,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
ret = 1;
- if (ec->key) {
- OPENSSL_cleanse(ec->key, ec->keylen);
- OPENSSL_free(ec->key);
- }
-
+ OPENSSL_clear_free(ec->key, ec->keylen);
ec->key = ek;
ec->keylen = eklen;
@@ -937,12 +933,9 @@ BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
err:
ec->cipher = NULL;
- if (ec->key) {
- OPENSSL_cleanse(ec->key, ec->keylen);
- OPENSSL_free(ec->key);
- ec->key = NULL;
- ec->keylen = 0;
- }
+ OPENSSL_clear_free(ec->key, ec->keylen);
+ ec->key = NULL;
+ ec->keylen = 0;
if (ok)
return ret;
BIO_free(ret);
diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c
index 69a5115..17b62dd 100644
--- a/crypto/cms/cms_kari.c
+++ b/crypto/cms/cms_kari.c
@@ -294,10 +294,7 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0))
goto err;
ec = cms->d.envelopedData->encryptedContentInfo;
- if (ec->key) {
- OPENSSL_cleanse(ec->key, ec->keylen);
- OPENSSL_free(ec->key);
- }
+ OPENSSL_clear_free(ec->key, ec->keylen);
ec->key = cek;
ec->keylen = ceklen;
cek = NULL;
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index ece5ce3..6416502 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -263,8 +263,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
memcpy(out, tmp + 4, *outlen);
rv = 1;
err:
- OPENSSL_cleanse(tmp, inlen);
- OPENSSL_free(tmp);
+ OPENSSL_clear_free(tmp, inlen);
return rv;
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index 3fad054..e3ebc02 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -477,10 +477,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
*keylen = dctx->kdf_outlen;
ret = 1;
err:
- if (Z) {
- OPENSSL_cleanse(Z, Zlen);
- OPENSSL_free(Z);
- }
+ OPENSSL_clear_free(Z, Zlen);
return ret;
}
return 1;
diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c
index e7f80a8..d79f261 100644
--- a/crypto/dsa/dsa_asn1.c
+++ b/crypto/dsa/dsa_asn1.c
@@ -188,10 +188,7 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
goto err;
ret = DSA_do_verify(dgst, dgst_len, s, dsa);
err:
- if (derlen > 0) {
- OPENSSL_cleanse(der, derlen);
- OPENSSL_free(der);
- }
+ OPENSSL_clear_free(der, derlen);
DSA_SIG_free(s);
return (ret);
}
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index b73263d..dbd91d6 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -127,9 +127,7 @@ void EC_KEY_free(EC_KEY *r)
EC_EX_DATA_free_all_data(&r->method_data);
- OPENSSL_cleanse((void *)r, sizeof(EC_KEY));
-
- OPENSSL_free(r);
+ OPENSSL_clear_free((void *)r, sizeof(EC_KEY));
}
EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 0e850d6..b2a5d79 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -166,14 +166,8 @@ void EC_GROUP_clear_free(EC_GROUP *group)
EC_POINT_clear_free(group->generator);
BN_clear_free(group->order);
BN_clear_free(group->cofactor);
-
- if (group->seed) {
- OPENSSL_cleanse(group->seed, group->seed_len);
- OPENSSL_free(group->seed);
- }
-
- OPENSSL_cleanse(group, sizeof *group);
- OPENSSL_free(group);
+ OPENSSL_clear_free(group->seed, group->seed_len);
+ OPENSSL_clear_free(group, sizeof *group);
}
int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
@@ -751,8 +745,7 @@ void EC_POINT_clear_free(EC_POINT *point)
point->meth->point_clear_finish(point);
else if (point->meth->point_finish != 0)
point->meth->point_finish(point);
- OPENSSL_cleanse(point, sizeof *point);
- OPENSSL_free(point);
+ OPENSSL_clear_free(point, sizeof *point);
}
int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src)
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 979b454..6dabfc8 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -169,8 +169,7 @@ static void ec_pre_comp_clear_free(void *pre_)
}
OPENSSL_free(pre->points);
}
- OPENSSL_cleanse(pre, sizeof *pre);
- OPENSSL_free(pre);
+ OPENSSL_clear_free(pre, sizeof *pre);
}
/*
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index 37f8fa1..5b3d197 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -268,10 +268,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
rv = 1;
err:
- if (ktmp) {
- OPENSSL_cleanse(ktmp, ktmplen);
- OPENSSL_free(ktmp);
- }
+ OPENSSL_clear_free(ktmp, ktmplen);
return rv;
}
#endif
diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c
index 5afe71c..a5e76f4 100644
--- a/crypto/ec/ecp_nistp224.c
+++ b/crypto/ec/ecp_nistp224.c
@@ -1247,8 +1247,7 @@ static void nistp224_pre_comp_clear_free(void *pre_)
if (i > 0)
return;
- OPENSSL_cleanse(pre, sizeof *pre);
- OPENSSL_free(pre);
+ OPENSSL_clear_free(pre, sizeof *pre);
}
/******************************************************************************/
diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
index 2f394bf..6fce22e 100644
--- a/crypto/ec/ecp_nistp256.c
+++ b/crypto/ec/ecp_nistp256.c
@@ -1862,8 +1862,7 @@ static void nistp256_pre_comp_clear_free(void *pre_)
if (i > 0)
return;
- OPENSSL_cleanse(pre, sizeof *pre);
- OPENSSL_free(pre);
+ OPENSSL_clear_free(pre, sizeof *pre);
}
/******************************************************************************/
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index b2fe653..8657a8f 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -1691,8 +1691,7 @@ static void nistp521_pre_comp_clear_free(void *pre_)
if (i > 0)
return;
- OPENSSL_cleanse(pre, sizeof(*pre));
- OPENSSL_free(pre);
+ OPENSSL_clear_free(pre, sizeof(*pre));
}
/******************************************************************************/
diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c
index c527797..417c29a 100644
--- a/crypto/ec/ecp_nistz256.c
+++ b/crypto/ec/ecp_nistz256.c
@@ -1471,13 +1471,9 @@ static void ecp_nistz256_pre_comp_clear_free(void *pre_)
if (i > 0)
return;
- if (pre->precomp_storage) {
- OPENSSL_cleanse(pre->precomp,
- 32 * sizeof(unsigned char) * (1 << pre->w) * 2 * 37);
- OPENSSL_free(pre->precomp_storage);
- }
- OPENSSL_cleanse(pre, sizeof *pre);
- OPENSSL_free(pre);
+ OPENSSL_clear_free(pre->precomp,
+ 32 * sizeof(unsigned char) * (1 << pre->w) * 2 * 37);
+ OPENSSL_clear_free(pre, sizeof *pre);
}
static int ecp_nistz256_window_have_precompute_mult(const EC_GROUP *group)
diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c
index 7b57ec4..82f8850 100644
--- a/crypto/ecdh/ech_lib.c
+++ b/crypto/ecdh/ech_lib.c
@@ -172,10 +172,7 @@ void ecdh_data_free(void *data)
#endif
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDH, r, &r->ex_data);
-
- OPENSSL_cleanse((void *)r, sizeof(ECDH_DATA));
-
- OPENSSL_free(r);
+ OPENSSL_clear_free((void *)r, sizeof(ECDH_DATA));
}
ECDH_DATA *ecdh_check(EC_KEY *key)
diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c
index cdb7b60..55324f7 100644
--- a/crypto/ecdsa/ecs_lib.c
+++ b/crypto/ecdsa/ecs_lib.c
@@ -160,9 +160,7 @@ static void ecdsa_data_free(void *data)
#endif
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDSA, r, &r->ex_data);
- OPENSSL_cleanse((void *)r, sizeof(ECDSA_DATA));
-
- OPENSSL_free(r);
+ OPENSSL_clear_free((void *)r, sizeof(ECDSA_DATA));
}
ECDSA_DATA *ecdsa_check(EC_KEY *key)
diff --git a/crypto/ecdsa/ecs_vrf.c b/crypto/ecdsa/ecs_vrf.c
index e909aeb..b9bd32f 100644
--- a/crypto/ecdsa/ecs_vrf.c
+++ b/crypto/ecdsa/ecs_vrf.c
@@ -103,10 +103,7 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len,
goto err;
ret = ECDSA_do_verify(dgst, dgst_len, s, eckey);
err:
- if (derlen > 0) {
- OPENSSL_cleanse(der, derlen);
- OPENSSL_free(der);
- }
+ OPENSSL_clear_free(der, derlen);
ECDSA_SIG_free(s);
return (ret);
}
diff --git a/crypto/engine/eng_openssl.c b/crypto/engine/eng_openssl.c
index 78fa3c8..cc91044 100644
--- a/crypto/engine/eng_openssl.c
+++ b/crypto/engine/eng_openssl.c
@@ -463,15 +463,10 @@ static int ossl_hmac_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
static void ossl_hmac_cleanup(EVP_PKEY_CTX *ctx)
{
- OSSL_HMAC_PKEY_CTX *hctx;
- hctx = EVP_PKEY_CTX_get_data(ctx);
+ OSSL_HMAC_PKEY_CTX *hctx = EVP_PKEY_CTX_get_data(ctx);
+
HMAC_CTX_cleanup(&hctx->ctx);
- if (hctx->ktmp.data) {
- if (hctx->ktmp.length)
- OPENSSL_cleanse(hctx->ktmp.data, hctx->ktmp.length);
- OPENSSL_free(hctx->ktmp.data);
- hctx->ktmp.data = NULL;
- }
+ OPENSSL_clear_free(hctx->ktmp.data, hctx->ktmp.length);
OPENSSL_free(hctx);
}
diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c
index 4409a91..0afd8cc 100644
--- a/crypto/evp/bio_enc.c
+++ b/crypto/evp/bio_enc.c
@@ -137,8 +137,7 @@ static int enc_free(BIO *a)
return (0);
b = (BIO_ENC_CTX *)a->ptr;
EVP_CIPHER_CTX_cleanup(&(b->cipher));
- OPENSSL_cleanse(a->ptr, sizeof(BIO_ENC_CTX));
- OPENSSL_free(a->ptr);
+ OPENSSL_clear_free(a->ptr, sizeof(BIO_ENC_CTX));
a->ptr = NULL;
a->init = 0;
a->flags = 0;
diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c
index 1aab200..eced061 100644
--- a/crypto/evp/bio_ok.c
+++ b/crypto/evp/bio_ok.c
@@ -202,8 +202,7 @@ static int ok_free(BIO *a)
if (a == NULL)
return (0);
EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md);
- OPENSSL_cleanse(a->ptr, sizeof(BIO_OK_CTX));
- OPENSSL_free(a->ptr);
+ OPENSSL_clear_free(a->ptr, sizeof(BIO_OK_CTX));
a->ptr = NULL;
a->init = 0;
a->flags = 0;
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index ce95350..043830d 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -349,8 +349,7 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
ctx->digest->cleanup(ctx);
if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
- OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
- OPENSSL_free(ctx->md_data);
+ OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
}
EVP_PKEY_CTX_free(ctx->pctx);
#ifndef OPENSSL_NO_ENGINE
diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c
index 00fa72d..7a71637 100644
--- a/crypto/evp/evp_pbe.c
+++ b/crypto/evp/evp_pbe.c
@@ -292,7 +292,7 @@ int EVP_PBE_find(int type, int pbe_nid,
static void free_evp_pbe_ctl(EVP_PBE_CTL *pbe)
{
- OPENSSL_freeFunc(pbe);
+ OPENSSL_free(pbe);
}
void EVP_PBE_cleanup(void)
diff --git a/crypto/evp/p_open.c b/crypto/evp/p_open.c
index adaa42f..481c855 100644
--- a/crypto/evp/p_open.c
+++ b/crypto/evp/p_open.c
@@ -105,9 +105,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
ret = 1;
err:
- if (key != NULL)
- OPENSSL_cleanse(key, size);
- OPENSSL_free(key);
+ OPENSSL_clear_free(key, size);
return (ret);
}
diff --git a/crypto/hmac/hm_pmeth.c b/crypto/hmac/hm_pmeth.c
index f2be144..f53f78c 100644
--- a/crypto/hmac/hm_pmeth.c
+++ b/crypto/hmac/hm_pmeth.c
@@ -113,13 +113,9 @@ static int pkey_hmac_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
static void pkey_hmac_cleanup(EVP_PKEY_CTX *ctx)
{
HMAC_PKEY_CTX *hctx = ctx->data;
+
HMAC_CTX_cleanup(&hctx->ctx);
- if (hctx->ktmp.data) {
- if (hctx->ktmp.length)
- OPENSSL_cleanse(hctx->ktmp.data, hctx->ktmp.length);
- OPENSSL_free(hctx->ktmp.data);
- hctx->ktmp.data = NULL;
- }
+ OPENSSL_clear_free(hctx->ktmp.data, hctx->ktmp.length);
OPENSSL_free(hctx);
}
diff --git a/crypto/mem.c b/crypto/mem.c
index afdce77..6176b38 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -417,8 +417,7 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
ret = malloc_ex_func(num, file, line);
if (ret) {
memcpy(ret, str, old_len);
- OPENSSL_cleanse(str, old_len);
- free_func(str);
+ OPENSSL_clear_free(str, old_len);
}
#ifdef LEVITTE_DEBUG_MEM
fprintf(stderr,
@@ -443,6 +442,15 @@ void CRYPTO_free(void *str)
free_debug_func(NULL, 1);
}
+void CRYPTO_clear_free(void *str, size_t num)
+{
+ if (!str)
+ return;
+ if (num)
+ OPENSSL_cleanse(str, num);
+ CRYPTO_free(str);
+}
+
void *CRYPTO_remalloc(void *a, int num, const char *file, int line)
{
if (a != NULL)
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 4ac28b3..780b326 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -1709,10 +1709,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
{
- if (ctx) {
- OPENSSL_cleanse(ctx, sizeof(*ctx));
- OPENSSL_free(ctx);
- }
+ OPENSSL_clear_free(ctx, sizeof(*ctx));
}
#if defined(SELFTEST)
diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c
index 0d82e50..efa403b 100644
--- a/crypto/modes/ocb128.c
+++ b/crypto/modes/ocb128.c
@@ -588,10 +588,7 @@ int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len)
void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx)
{
if (ctx) {
- if (ctx->l) {
- OPENSSL_cleanse(ctx->l, ctx->max_l_index * 16);
- OPENSSL_free(ctx->l);
- }
+ OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16);
OPENSSL_cleanse(ctx, sizeof(*ctx));
}
}
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 431e368..143d001 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -429,10 +429,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
OPENSSL_cleanse(iv, sizeof(iv));
OPENSSL_cleanse((char *)&ctx, sizeof(ctx));
OPENSSL_cleanse(buf, PEM_BUFSIZE);
- if (data != NULL) {
- OPENSSL_cleanse(data, (unsigned int)dsize);
- OPENSSL_free(data);
- }
+ OPENSSL_clear_free(data, (unsigned int)dsize);
return (ret);
}
@@ -637,8 +634,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
EVP_EncodeFinal(&ctx, buf, &outl);
if ((outl > 0) && (BIO_write(bp, (char *)buf, outl) != outl))
goto err;
- OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
- OPENSSL_free(buf);
+ OPENSSL_clear_free(buf, PEM_BUFSIZE * 8);
buf = NULL;
if ((BIO_write(bp, "-----END ", 9) != 9) ||
(BIO_write(bp, name, nlen) != nlen) ||
@@ -646,10 +642,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
goto err;
return (i + outl);
err:
- if (buf) {
- OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, PEM_BUFSIZE * 8);
PEMerr(PEM_F_PEM_WRITE_BIO, reason);
return (0);
}
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index 80c316e..0a110e1 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -139,8 +139,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, ERR_R_ASN1_LIB);
err:
OPENSSL_free(nm);
- OPENSSL_cleanse(data, len);
- OPENSSL_free(data);
+ OPENSSL_clear_free(data, len);
return (ret);
}
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 14ddb33..8ac9348 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -772,10 +772,7 @@ EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
ret = do_PVK_body(&p, saltlen, keylen, cb, u);
err:
- if (buf) {
- OPENSSL_cleanse(buf, buflen);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, buflen);
return ret;
}
diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c
index 5a06208..45cac04 100644
--- a/crypto/pkcs12/p12_key.c
+++ b/crypto/pkcs12/p12_key.c
@@ -96,10 +96,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
id, iter, n, out, md_type);
if (ret <= 0)
return 0;
- if (unipass) {
- OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */
- OPENSSL_free(unipass);
- }
+ OPENSSL_clear_free(unipass, uniplen);
return ret;
}
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 51e9c6e..4bc06b9 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -229,11 +229,7 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
ret = 1;
- if (*pek) {
- OPENSSL_cleanse(*pek, *peklen);
- OPENSSL_free(*pek);
- }
-
+ OPENSSL_clear_free(*pek, *peklen);
*pek = ek;
*peklen = eklen;
@@ -576,8 +572,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
*/
if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) {
/* Use random key as MMA defence */
- OPENSSL_cleanse(ek, eklen);
- OPENSSL_free(ek);
+ OPENSSL_clear_free(ek, eklen);
ek = tkey;
eklen = tkeylen;
tkey = NULL;
@@ -588,16 +583,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0)
goto err;
- if (ek) {
- OPENSSL_cleanse(ek, eklen);
- OPENSSL_free(ek);
- ek = NULL;
- }
- if (tkey) {
- OPENSSL_cleanse(tkey, tkeylen);
- OPENSSL_free(tkey);
- tkey = NULL;
- }
+ OPENSSL_clear_free(ek, eklen);
+ ek = NULL;
+ OPENSSL_clear_free(tkey, tkeylen);
+ tkey = NULL;
if (out == NULL)
out = etmp;
@@ -619,23 +608,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
}
BIO_push(out, bio);
bio = NULL;
- if (0) {
+ return out;
+
err:
- if (ek) {
- OPENSSL_cleanse(ek, eklen);
- OPENSSL_free(ek);
- }
- if (tkey) {
- OPENSSL_cleanse(tkey, tkeylen);
- OPENSSL_free(tkey);
- }
- BIO_free_all(out);
- BIO_free_all(btmp);
- BIO_free_all(etmp);
- BIO_free_all(bio);
- out = NULL;
- }
- return (out);
+ OPENSSL_clear_free(ek, eklen);
+ OPENSSL_clear_free(tkey, tkeylen);
+ BIO_free_all(out);
+ BIO_free_all(btmp);
+ BIO_free_all(etmp);
+ BIO_free_all(bio);
+ return NULL;
}
static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid)
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 0bbaf67..acc116b 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -207,10 +207,7 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
{
- if (out) {
- OPENSSL_cleanse(out, olen);
- OPENSSL_free(out);
- }
+ OPENSSL_clear_free(out, olen);
}
/*
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 73a8e07..49c157a 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -243,10 +243,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
- if (buf != NULL) {
- OPENSSL_cleanse(buf, num);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, num);
return (r);
}
@@ -480,10 +477,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
- if (buf != NULL) {
- OPENSSL_cleanse(buf, num);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, num);
return (r);
}
@@ -622,10 +616,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
- if (buf != NULL) {
- OPENSSL_cleanse(buf, num);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, num);
return (r);
}
@@ -725,10 +716,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
- if (buf != NULL) {
- OPENSSL_cleanse(buf, num);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, num);
return (r);
}
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 5b4ce73..1430d5b 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -243,8 +243,7 @@ void RSA_free(RSA *r)
BN_BLINDING_free(r->blinding);
if (r->mt_blinding != NULL)
BN_BLINDING_free(r->mt_blinding);
- if (r->bignum_data != NULL)
- OPENSSL_free_locked(r->bignum_data);
+ OPENSSL_free_locked(r->bignum_data);
OPENSSL_free(r);
}
diff --git a/crypto/rsa/rsa_saos.c b/crypto/rsa/rsa_saos.c
index 80709f5..c462ae1 100644
--- a/crypto/rsa/rsa_saos.c
+++ b/crypto/rsa/rsa_saos.c
@@ -96,8 +96,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
else
*siglen = i;
- OPENSSL_cleanse(s, (unsigned int)j + 1);
- OPENSSL_free(s);
+ OPENSSL_clear_free(s, (unsigned int)j + 1);
return (ret);
}
@@ -139,9 +138,6 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
ret = 1;
err:
ASN1_OCTET_STRING_free(sig);
- if (s != NULL) {
- OPENSSL_cleanse(s, (unsigned int)siglen);
- OPENSSL_free(s);
- }
+ OPENSSL_clear_free(s, (unsigned int)siglen);
return (ret);
}
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 3b2ba56..6965797 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -131,10 +131,8 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
else
*siglen = i;
- if (type != NID_md5_sha1) {
- OPENSSL_cleanse(tmps, (unsigned int)j + 1);
- OPENSSL_free(tmps);
- }
+ if (type != NID_md5_sha1)
+ OPENSSL_clear_free(tmps, (unsigned int)j + 1);
return (ret);
}
@@ -153,8 +151,7 @@ static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo,
return 0;
if (derlen == dinfolen && !memcmp(dinfo, der, derlen))
ret = 1;
- OPENSSL_cleanse(der, derlen);
- OPENSSL_free(der);
+ OPENSSL_clear_free(der, derlen);
return ret;
}
@@ -267,10 +264,7 @@ int int_rsa_verify(int dtype, const unsigned char *m,
}
err:
X509_SIG_free(sig);
- if (s != NULL) {
- OPENSSL_cleanse(s, (unsigned int)siglen);
- OPENSSL_free(s);
- }
+ OPENSSL_clear_free(s, (unsigned int)siglen);
return (ret);
}
diff --git a/engines/e_4758cca.c b/engines/e_4758cca.c
index 3b593c7..b605a79 100644
--- a/engines/e_4758cca.c
+++ b/engines/e_4758cca.c
@@ -709,10 +709,8 @@ static int cca_rsa_verify(int type, const unsigned char *m,
&keyTokenLength, keyToken, &length, hashBuffer,
&lsiglen, (unsigned char *)sigbuf);
- if (type == NID_sha1 || type == NID_md5) {
- OPENSSL_cleanse(hashBuffer, keyLength + 1);
- OPENSSL_free(hashBuffer);
- }
+ if (type == NID_sha1 || type == NID_md5)
+ OPENSSL_clear_free(hashBuffer, keyLength + 1);
return ((returnCode || reasonCode) ? 0 : 1);
}
@@ -820,10 +818,8 @@ static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
&keyTokenLength, keyToken, &length, hashBuffer,
&outputLength, &outputBitLength, sigret);
- if (type == NID_sha1 || type == NID_md5) {
- OPENSSL_cleanse(hashBuffer, keyLength + 1);
- OPENSSL_free(hashBuffer);
- }
+ if (type == NID_sha1 || type == NID_md5)
+ OPENSSL_clear_free(hashBuffer, keyLength + 1);
*siglen = outputLength;
diff --git a/engines/e_sureware.c b/engines/e_sureware.c
index 4580250..9e56a7d 100644
--- a/engines/e_sureware.c
+++ b/engines/e_sureware.c
@@ -948,10 +948,7 @@ static int surewarehk_rsa_priv_dec(int flen, const unsigned char *from,
SUREWARE_R_PADDING_CHECK_FAILED);
}
err:
- if (buf) {
- OPENSSL_cleanse(buf, tlen);
- OPENSSL_free(buf);
- }
+ OPENSSL_clear_free(buf, tlen);
return ret;
}
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index 9762398..f05084f 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -373,7 +373,7 @@ int CRYPTO_is_mem_check_on(void);
CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)
# define OPENSSL_remalloc(addr,num) \
CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
-# define OPENSSL_freeFunc CRYPTO_free
+# define OPENSSL_clear_free(addr, num) CRYPTO_clear_free(addr, num)
# define OPENSSL_free(addr) CRYPTO_free(addr)
# define OPENSSL_malloc_locked(num) \
@@ -526,6 +526,7 @@ void CRYPTO_free_locked(void *ptr);
void *CRYPTO_malloc(int num, const char *file, int line);
char *CRYPTO_strdup(const char *str, const char *file, int line);
void CRYPTO_free(void *ptr);
+void CRYPTO_clear_free(void *ptr, size_t num);
void *CRYPTO_realloc(void *addr, int num, const char *file, int line);
void *CRYPTO_realloc_clean(void *addr, int old_num, int num, const char *file,
int line);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index bbff778..71756cd 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3073,8 +3073,7 @@ int ssl3_send_client_key_exchange(SSL *s)
s->
session->master_key,
pms, pmslen);
- OPENSSL_cleanse(pms, pmslen);
- OPENSSL_free(pms);
+ OPENSSL_clear_free(pms, pmslen);
s->cert->pms = NULL;
if (s->session->master_key_length < 0) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
@@ -3087,11 +3086,8 @@ int ssl3_send_client_key_exchange(SSL *s)
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
err:
- if (pms) {
- OPENSSL_cleanse(pms, pmslen);
- OPENSSL_free(pms);
- s->cert->pms = NULL;
- }
+ OPENSSL_clear_free(pms, pmslen);
+ s->cert->pms = NULL;
#ifndef OPENSSL_NO_EC
BN_CTX_free(bn_ctx);
if (encodedPoint != NULL)
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 8fc5bc4..df86f5b 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -471,11 +471,8 @@ int ssl3_setup_key_block(SSL *s)
void ssl3_cleanup_key_block(SSL *s)
{
- if (s->s3->tmp.key_block != NULL) {
- OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
- OPENSSL_free(s->s3->tmp.key_block);
- s->s3->tmp.key_block = NULL;
- }
+ OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
+ s->s3->tmp.key_block = NULL;
s->s3->tmp.key_block_length = 0;
}
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ef2ddb4..190d0f1 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3138,8 +3138,7 @@ void ssl3_free(SSL *s)
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
#endif
- OPENSSL_cleanse(s->s3, sizeof *s->s3);
- OPENSSL_free(s->s3);
+ OPENSSL_clear_free(s->s3, sizeof *s->s3);
s->s3 = NULL;
}
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 0ae9646..a15c5f9 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -465,11 +465,8 @@ void ssl_cert_free(CERT *c)
custom_exts_free(&c->cli_ext);
custom_exts_free(&c->srv_ext);
#endif
- if (c->pms) {
- OPENSSL_cleanse(c->pms, c->pmslen);
- OPENSSL_free(c->pms);
- c->pms = NULL;
- }
+ OPENSSL_clear_free(c->pms, c->pmslen);
+ c->pms = NULL;
OPENSSL_free(c);
}
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index eed38ca..cec5905 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -759,8 +759,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
if (ss->srp_username != NULL)
OPENSSL_free(ss->srp_username);
#endif
- OPENSSL_cleanse(ss, sizeof(*ss));
- OPENSSL_free(ss);
+ OPENSSL_clear_free(ss, sizeof(*ss));
}
int SSL_set_session(SSL *s, SSL_SESSION *session)
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 1f58ed0..edb6558 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -717,10 +717,7 @@ int tls1_setup_key_block(SSL *s)
ret = 1;
err:
- if (p2) {
- OPENSSL_cleanse(p2, num);
- OPENSSL_free(p2);
- }
+ OPENSSL_clear_free(p2, num);
return (ret);
}
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index 33d398f..5d895cc 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -339,7 +339,7 @@ int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key)
{
BIGNUM *K = NULL, *u = NULL;
- int ret = -1, tmp_len;
+ int ret = -1, tmp_len = 0;
unsigned char *tmp = NULL;
if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
@@ -360,10 +360,7 @@ int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key)
s->method->ssl3_enc->generate_master_secret(s, master_key, tmp,
tmp_len);
err:
- if (tmp) {
- OPENSSL_cleanse(tmp, tmp_len);
- OPENSSL_free(tmp);
- }
+ OPENSSL_clear_free(tmp, tmp_len);
BN_clear_free(K);
BN_clear_free(u);
return ret;
@@ -373,7 +370,7 @@ int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key)
int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key)
{
BIGNUM *x = NULL, *u = NULL, *K = NULL;
- int ret = -1, tmp_len;
+ int ret = -1, tmp_len = 0;
char *passwd = NULL;
unsigned char *tmp = NULL;
@@ -407,16 +404,10 @@ int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key)
s->method->ssl3_enc->generate_master_secret(s, master_key, tmp,
tmp_len);
err:
- if (tmp) {
- OPENSSL_cleanse(tmp, tmp_len);
- OPENSSL_free(tmp);
- }
+ OPENSSL_clear_free(tmp, tmp_len);
BN_clear_free(K);
BN_clear_free(x);
- if (passwd) {
- OPENSSL_cleanse(passwd, strlen(passwd));
- OPENSSL_free(passwd);
- }
+ OPENSSL_clear_free(passwd, strlen(passwd));
BN_clear_free(u);
return ret;
}
diff --git a/util/libeay.num b/util/libeay.num
index 553a160..bc4bb44 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4555,3 +4555,5 @@ OBJ_get0_data 4913 EXIST::FUNCTION:
X509_NAME_ENTRY_set 4914 EXIST::FUNCTION:
ASN1_TYPE_pack_sequence 4915 EXIST::FUNCTION:
ASN1_TYPE_unpack_sequence 4916 EXIST::FUNCTION:
+CRYPTO_clean_free 4917 NOEXIST::FUNCTION:
+CRYPTO_clear_free 4918 EXIST::FUNCTION:
More information about the openssl-commits
mailing list