diff options
author | Miod Vallat <miod@cvs.openbsd.org> | 2014-06-04 21:05:31 +0000 |
---|---|---|
committer | Miod Vallat <miod@cvs.openbsd.org> | 2014-06-04 21:05:31 +0000 |
commit | c5e4dba7acbb3da88c94dddf85bbe41cdacaa411 (patch) | |
tree | d76b03ad404b86c6ca2db0580abfe6bcac17886d | |
parent | 13eed0265c7dd4bd313b7b59ef6210a0ee599810 (diff) |
Sanitize use of client_opaque_prf_input: set it to NULL immediately after
free()ing it, rather than in conditional code.
Also do not bother setting server_opaque_prf_input (server, not client) to
NULL in conditional code 10 lines after explicitely free()ing it and setting
it to NULL (were the developers afraid of zombie pointers?)
ok guenther@
-rw-r--r-- | lib/libssl/src/ssl/t1_lib.c | 40 |
1 files changed, 22 insertions, 18 deletions
diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c index a18032b9c8b..e46e2530e37 100644 --- a/lib/libssl/src/ssl/t1_lib.c +++ b/lib/libssl/src/ssl/t1_lib.c @@ -1147,10 +1147,9 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } free(s->s3->client_opaque_prf_input); + s->s3->client_opaque_prf_input = NULL; - if (s->s3->client_opaque_prf_input_len == 0) - s->s3->client_opaque_prf_input = NULL; - else { + if (s->s3->client_opaque_prf_input_len != 0) { s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); @@ -1615,16 +1614,16 @@ ssl_prepare_clienthello_tlsext(SSL *s) int r = 1; if (s->ctx->tlsext_opaque_prf_input_callback != 0) { - r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); + r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, + s->ctx->tlsext_opaque_prf_input_callback_arg); if (!r) return -1; } if (s->tlsext_opaque_prf_input != NULL) { free(s->s3->client_opaque_prf_input); - if (s->tlsext_opaque_prf_input_len == 0) - s->s3->client_opaque_prf_input = NULL; - else { + s->s3->client_opaque_prf_input = NULL; + if (s->tlsext_opaque_prf_input_len != 0) { s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); @@ -1634,7 +1633,8 @@ ssl_prepare_clienthello_tlsext(SSL *s) return -1; } } - s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; + s->s3->client_opaque_prf_input_len = + s->tlsext_opaque_prf_input_len; } if (r == 2) { @@ -1704,7 +1704,8 @@ ssl_check_clienthello_tlsext_early(SSL *s) int r = 1; if (s->ctx->tlsext_opaque_prf_input_callback != 0) { - r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); + r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, + s->ctx->tlsext_opaque_prf_input_callback_arg); if (!r) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_INTERNAL_ERROR; @@ -1717,13 +1718,14 @@ ssl_check_clienthello_tlsext_early(SSL *s) if (s->tlsext_opaque_prf_input != NULL) { if (s->s3->client_opaque_prf_input != NULL && - s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) { - /* can only use this extension if we have a server opaque PRF input - * of the same length as the client opaque PRF input! */ - - if (s->tlsext_opaque_prf_input_len == 0) - s->s3->server_opaque_prf_input = NULL; - else { + s->s3->client_opaque_prf_input_len == + s->tlsext_opaque_prf_input_len) { + /* + * Can only use this extension if we have a + * server opaque PRF input of the same length + * as the client opaque PRF input! + */ + if (s->tlsext_opaque_prf_input_len != 0) { s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); @@ -1734,7 +1736,8 @@ ssl_check_clienthello_tlsext_early(SSL *s) goto err; } } - s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; + s->s3->server_opaque_prf_input_len = + s->tlsext_opaque_prf_input_len; } } @@ -1877,7 +1880,8 @@ ssl_check_serverhello_tlsext(SSL *s) /* Anytime the server *has* sent an opaque PRF input, we need to check * that we have a client opaque PRF input of the same size. */ if (s->s3->client_opaque_prf_input == NULL || - s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) { + s->s3->client_opaque_prf_input_len != + s->s3->server_opaque_prf_input_len) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_ILLEGAL_PARAMETER; } |