diff options
-rw-r--r-- | lib/libssl/d1_lib.c | 21 | ||||
-rw-r--r-- | lib/libssl/dtls1.h | 6 | ||||
-rw-r--r-- | lib/libssl/s3_lib.c | 18 | ||||
-rw-r--r-- | lib/libssl/ssl.h | 16 | ||||
-rw-r--r-- | lib/libssl/ssl3.h | 6 | ||||
-rw-r--r-- | lib/libssl/ssl_lib.c | 35 | ||||
-rw-r--r-- | lib/libssl/ssl_locl.h | 22 | ||||
-rw-r--r-- | lib/libssl/ssl_sess.c | 16 |
8 files changed, 111 insertions, 29 deletions
diff --git a/lib/libssl/d1_lib.c b/lib/libssl/d1_lib.c index 56c79f30aa8..3bc1b42583e 100644 --- a/lib/libssl/d1_lib.c +++ b/lib/libssl/d1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_lib.c,v 1.34 2016/11/04 18:33:11 guenther Exp $ */ +/* $OpenBSD: d1_lib.c,v 1.35 2017/01/22 03:50:45 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -105,7 +105,12 @@ dtls1_new(SSL *s) if (!ssl3_new(s)) return (0); - if ((d1 = calloc(1, sizeof *d1)) == NULL) { + if ((d1 = calloc(1, sizeof(*d1))) == NULL) { + ssl3_free(s); + return (0); + } + if ((d1->internal = calloc(1, sizeof(*d1->internal))) == NULL) { + free(d1); ssl3_free(s); return (0); } @@ -199,14 +204,19 @@ dtls1_free(SSL *s) pqueue_free(s->d1->sent_messages); pqueue_free(s->d1->buffered_app_data.q); - explicit_bzero(s->d1, sizeof *s->d1); + explicit_bzero(s->d1->internal, sizeof(*s->d1->internal)); + free(s->d1->internal); + + explicit_bzero(s->d1, sizeof(*s->d1)); free(s->d1); + s->d1 = NULL; } void dtls1_clear(SSL *s) { + struct dtls1_state_internal_st *internal; pqueue unprocessed_rcds; pqueue processed_rcds; pqueue buffered_messages; @@ -224,7 +234,10 @@ dtls1_clear(SSL *s) dtls1_clear_queues(s); - memset(s->d1, 0, sizeof(*(s->d1))); + memset(s->d1->internal, 0, sizeof(*s->d1->internal)); + internal = s->d1->internal; + memset(s->d1, 0, sizeof(*s->d1)); + s->d1->internal = internal; if (s->server) { s->d1->cookie_len = sizeof(s->d1->cookie); diff --git a/lib/libssl/dtls1.h b/lib/libssl/dtls1.h index 8ec0bb84212..812b90592d3 100644 --- a/lib/libssl/dtls1.h +++ b/lib/libssl/dtls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dtls1.h,v 1.19 2016/12/30 15:10:57 jsing Exp $ */ +/* $OpenBSD: dtls1.h,v 1.20 2017/01/22 03:50:45 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -150,6 +150,8 @@ typedef struct hm_fragment_st { unsigned char *reassembly; } hm_fragment; +struct dtls1_state_internal_st; + typedef struct dtls1_state_st { unsigned int send_cookie; unsigned char cookie[DTLS1_COOKIE_LENGTH]; @@ -222,7 +224,7 @@ typedef struct dtls1_state_st { unsigned int retransmitting; unsigned int change_cipher_spec_ok; - + struct dtls1_state_internal_st *internal; } DTLS1_STATE; typedef struct dtls1_record_data_st { diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 0dda987d4c1..6f5ee4fa50d 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.117 2017/01/22 00:09:13 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.118 2017/01/22 03:50:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1811,6 +1811,10 @@ ssl3_new(SSL *s) { if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) return (0); + if ((s->s3->internal = calloc(1, sizeof(*s->s3->internal))) == NULL) { + free(s->s3); + return (0); + } s->method->ssl_clear(s); @@ -1840,14 +1844,19 @@ ssl3_free(SSL *s) tls1_free_digest_list(s); free(s->s3->alpn_selected); - explicit_bzero(s->s3, sizeof *s->s3); + explicit_bzero(s->s3->internal, sizeof(*s->s3->internal)); + free(s->s3->internal); + + explicit_bzero(s->s3, sizeof(*s->s3)); free(s->s3); + s->s3 = NULL; } void ssl3_clear(SSL *s) { + struct ssl3_state_internal_st *internal; unsigned char *rp, *wp; size_t rlen, wlen; @@ -1878,7 +1887,10 @@ ssl3_clear(SSL *s) free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; - memset(s->s3, 0, sizeof *s->s3); + memset(s->s3->internal, 0, sizeof(*s->s3->internal)); + internal = s->s3->internal; + memset(s->s3, 0, sizeof(*s->s3)); + s->s3->internal = internal; s->s3->rbuf.buf = rp; s->s3->wbuf.buf = wp; diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index 37844bdeaa0..e8ad9fb4704 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.102 2016/12/30 17:20:51 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.103 2017/01/22 03:50:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -353,6 +353,7 @@ extern "C" { * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; + typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; typedef struct ssl_method_st SSL_METHOD; typedef struct ssl_cipher_st SSL_CIPHER; @@ -455,6 +456,8 @@ struct ssl_method_st { * Look in ssl/ssl_asn1.c for more details * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). */ +struct ssl_session_internal_st; + struct ssl_session_st { int ssl_version; /* what ssl version session info is * being kept in here? */ @@ -513,6 +516,8 @@ struct ssl_session_st { unsigned char *tlsext_tick; /* Session ticket */ size_t tlsext_ticklen; /* Session ticket length */ long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ + + struct ssl_session_internal_st *internal; }; #endif @@ -687,6 +692,8 @@ struct lhash_st_SSL_SESSION { int dummy; }; +struct ssl_ctx_internal_st; + struct ssl_ctx_st { const SSL_METHOD *method; @@ -885,6 +892,8 @@ struct ssl_ctx_st { /* SRTP profiles we are willing to do from RFC 5764 */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; + + struct ssl_ctx_internal_st *internal; }; #endif @@ -997,6 +1006,7 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 #ifndef OPENSSL_NO_SSL_INTERN +struct ssl_internal_st; struct ssl_st { /* protocol version @@ -1192,6 +1202,7 @@ struct ssl_st { void *tls_session_secret_cb_arg; SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ +#define session_ctx initial_ctx /* Next protocol negotiation. For the client, this is the protocol that * we sent in NextProtocol and is set when handling ServerHello @@ -1203,8 +1214,6 @@ struct ssl_st { unsigned char *next_proto_negotiated; unsigned char next_proto_negotiated_len; -#define session_ctx initial_ctx - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */ SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ @@ -1224,6 +1233,7 @@ struct ssl_st { * 2 if we are a server and are inside a handshake * (i.e. not just sending a HelloRequest) */ + struct ssl_internal_st *internal; }; #endif diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h index c52c0a780eb..63441761050 100644 --- a/lib/libssl/ssl3.h +++ b/lib/libssl/ssl3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl3.h,v 1.43 2016/12/30 15:10:57 jsing Exp $ */ +/* $OpenBSD: ssl3.h,v 1.44 2017/01/22 03:50:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -359,6 +359,8 @@ typedef struct ssl3_buffer_st { #ifndef OPENSSL_NO_SSL_INTERN +struct ssl3_state_internal_st; + typedef struct ssl3_state_st { long flags; int delay_buf_pop_ret; @@ -489,6 +491,8 @@ typedef struct ssl3_state_st { */ unsigned char *alpn_selected; unsigned int alpn_selected_len; + + struct ssl3_state_internal_st *internal; } SSL3_STATE; #endif diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 7eb192eb2cd..d9e5166cdd2 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.125 2017/01/21 04:16:49 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.126 2017/01/22 03:50:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -274,10 +274,15 @@ SSL_new(SSL_CTX *ctx) return (NULL); } - s = calloc(1, sizeof(SSL)); - if (s == NULL) - goto err; - + if ((s = calloc(1, sizeof(*s))) == NULL) { + SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); + return (NULL); + } + if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) { + free(s); + SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); + return (NULL); + } s->options = ctx->options; s->mode = ctx->mode; @@ -361,7 +366,7 @@ SSL_new(SSL_CTX *ctx) return (s); -err: + err: SSL_free(s); SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); return (NULL); @@ -549,7 +554,6 @@ SSL_free(SSL *s) SSL_CTX_free(s->ctx); - free(s->next_proto_negotiated); free(s->alpn_client_proto_list); @@ -558,6 +562,7 @@ SSL_free(SSL *s) sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); #endif + free(s->internal); free(s); } @@ -1792,21 +1797,28 @@ ssl_session_LHASH_COMP(const void *arg1, const void *arg2) SSL_CTX * SSL_CTX_new(const SSL_METHOD *meth) { - SSL_CTX *ret = NULL; + SSL_CTX *ret; if (meth == NULL) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED); return (NULL); } + if ((ret = calloc(1, sizeof(*ret))) == NULL) { + SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); + return (NULL); + } + if ((ret->internal = calloc(1, sizeof(*ret->internal))) == NULL) { + free(ret); + SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); + return (NULL); + } + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; } - ret = calloc(1, sizeof(SSL_CTX)); - if (ret == NULL) - goto err; ret->method = meth; @@ -1993,6 +2005,7 @@ SSL_CTX_free(SSL_CTX *a) free(a->alpn_client_proto_list); + free(a->internal); free(a); } diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 5748875092b..50f527aad51 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.145 2017/01/21 04:18:18 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.146 2017/01/22 03:50:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -372,6 +372,26 @@ __BEGIN_HIDDEN_DECLS #define EXPLICIT_CHAR2_CURVE_TYPE 2 #define NAMED_CURVE_TYPE 3 +typedef struct ssl_session_internal_st { + +} SSL_SESSION_INTERNAL; + +typedef struct ssl_ctx_internal_st { + +} SSL_CTX_INTERNAL; + +typedef struct ssl_internal_st { + +} SSL_INTERNAL; + +typedef struct ssl3_state_internal_st { + +} SSL3_STATE_INTERNAL; + +typedef struct dtls1_state_internal_st { + +} DTLS1_STATE_INTERNAL; + typedef struct cert_pkey_st { X509 *x509; EVP_PKEY *privatekey; diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index f6e2642aeb0..0970633a862 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.53 2016/11/02 11:21:05 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.54 2017/01/22 03:50:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -199,10 +199,14 @@ SSL_SESSION_new(void) { SSL_SESSION *ss; - ss = calloc(1, sizeof(SSL_SESSION)); - if (ss == NULL) { + if ((ss = calloc(1, sizeof(*ss))) == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); - return (0); + return (NULL); + } + if ((ss->internal = calloc(1, sizeof(*ss->internal))) == NULL) { + free(ss); + SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); + return (NULL); } ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ @@ -706,6 +710,10 @@ SSL_SESSION_free(SSL_SESSION *ss) free(ss->tlsext_ecpointformatlist); ss->tlsext_ellipticcurvelist_length = 0; free(ss->tlsext_ellipticcurvelist); + + explicit_bzero(ss->internal, sizeof(*ss->internal)); + free(ss->internal); + explicit_bzero(ss, sizeof(*ss)); free(ss); } |