diff options
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl_rsa.c | 13 | ||||
| -rw-r--r-- | ssl/statem/statem_clnt.c | 24 | ||||
| -rw-r--r-- | ssl/statem/statem_srvr.c | 10 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 10 |
4 files changed, 18 insertions, 39 deletions
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index a23b28e76c..a02230d0f1 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -179,10 +179,9 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) if (c->pkeys[i].x509 != NULL) { EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(c->pkeys[i].x509); + pktmp = X509_get0_pubkey(c->pkeys[i].x509); if (pktmp == NULL) { SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE); - EVP_PKEY_free(pktmp); return 0; } /* @@ -190,7 +189,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) * ignored. Some EVP_PKEY types cannot do this. */ EVP_PKEY_copy_parameters(pktmp, pkey); - EVP_PKEY_free(pktmp); ERR_clear_error(); #ifndef OPENSSL_NO_RSA @@ -369,7 +367,7 @@ static int ssl_set_cert(CERT *c, X509 *x) EVP_PKEY *pkey; int i; - pkey = X509_get_pubkey(x); + pkey = X509_get0_pubkey(x); if (pkey == NULL) { SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); return (0); @@ -378,8 +376,7 @@ static int ssl_set_cert(CERT *c, X509 *x) i = ssl_cert_type(x, pkey); if (i < 0) { SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - EVP_PKEY_free(pkey); - return (0); + return 0; } if (c->pkeys[i].privatekey != NULL) { @@ -413,14 +410,12 @@ static int ssl_set_cert(CERT *c, X509 *x) } } - EVP_PKEY_free(pkey); - X509_free(c->pkeys[i].x509); X509_up_ref(x); c->pkeys[i].x509 = x; c->key = &(c->pkeys[i]); - return (1); + return 1; } #ifndef OPENSSL_NO_STDIO diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index a7c51dfca2..c0eeeed102 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1524,7 +1524,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) * VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end */ - pkey = X509_get_pubkey(x); + pkey = X509_get0_pubkey(x); if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { x = NULL; @@ -1570,7 +1570,6 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) err: ossl_statem_set_error(s); done: - EVP_PKEY_free(pkey); X509_free(x); sk_X509_pop_free(sk, X509_free); return ret; @@ -1686,7 +1685,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) /* We must check if there is a certificate */ if (alg_a & (SSL_aRSA|SSL_aDSS)) - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); } #endif /* !OPENSSL_NO_SRP */ #ifndef OPENSSL_NO_DH @@ -1739,7 +1738,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) goto f_err; } if (alg_a & (SSL_aRSA|SSL_aDSS)) - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); /* else anonymous DH, so no certificate or pkey. */ } #endif /* !OPENSSL_NO_DH */ @@ -1809,11 +1808,11 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) if (0) ; # ifndef OPENSSL_NO_RSA else if (alg_a & SSL_aRSA) - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); # endif # ifndef OPENSSL_NO_EC else if (alg_a & SSL_aECDSA) - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); # endif /* else anonymous ECDH, so no certificate or pkey. */ } else if (alg_k) { @@ -1912,13 +1911,11 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) goto f_err; } } - EVP_PKEY_free(pkey); EVP_MD_CTX_free(md_ctx); return MSG_PROCESS_CONTINUE_READING; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - EVP_PKEY_free(pkey); #ifndef OPENSSL_NO_RSA RSA_free(rsa); #endif @@ -2363,12 +2360,11 @@ psk_err: goto err; } - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - EVP_PKEY_free(pkey); goto err; } @@ -2501,7 +2497,6 @@ psk_err: unsigned int md_len; unsigned char shared_ukm[32], tmp[256]; EVP_MD_CTX *ukm_hash; - EVP_PKEY *pub_key; int dgst_nid = NID_id_GostR3411_94; if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) dgst_nid = NID_id_GostR3411_2012_256; @@ -2522,8 +2517,7 @@ psk_err: goto err; } - pkey_ctx = EVP_PKEY_CTX_new(pub_key = - X509_get_pubkey(peer_cert), NULL); + pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL); if (pkey_ctx == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); @@ -2611,7 +2605,6 @@ psk_err: s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; } EVP_PKEY_CTX_free(pkey_ctx); - EVP_PKEY_free(pub_key); } #endif @@ -2963,9 +2956,8 @@ int ssl3_check_cert_and_algorithm(SSL *s) goto f_err; } #endif - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); i = X509_certificate_type(s->session->peer, pkey); - EVP_PKEY_free(pkey); /* Check that we have a certificate if we require one */ if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 38f01e1054..66ff3e61e2 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2553,7 +2553,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) * EVP_PKEY_derive_set_peer, because it is completely valid to use a * client certificate for authorization only. */ - client_pub_pkey = X509_get_pubkey(s->session->peer); + client_pub_pkey = X509_get0_pubkey(s->session->peer); if (client_pub_pkey) { if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) ERR_clear_error(); @@ -2595,11 +2595,9 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) s->statem.no_cert_verify = 1; - EVP_PKEY_free(client_pub_pkey); EVP_PKEY_CTX_free(pkey_ctx); return MSG_PROCESS_CONTINUE_PROCESSING; gerr: - EVP_PKEY_free(client_pub_pkey); EVP_PKEY_CTX_free(pkey_ctx); goto f_err; } else @@ -2725,7 +2723,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } peer = s->session->peer; - pkey = X509_get_pubkey(peer); + pkey = X509_get0_pubkey(peer); type = X509_certificate_type(peer, pkey); if (!(type & EVP_PKT_SIGN)) { @@ -2842,7 +2840,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) BIO_free(s->s3->handshake_buffer); s->s3->handshake_buffer = NULL; EVP_MD_CTX_free(mctx); - EVP_PKEY_free(pkey); return ret; } @@ -2931,14 +2928,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) al = SSL_AD_HANDSHAKE_FAILURE; goto f_err; } - pkey = X509_get_pubkey(sk_X509_value(sk, 0)); + pkey = X509_get0_pubkey(sk_X509_value(sk, 0)); if (pkey == NULL) { al = SSL3_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_UNKNOWN_CERTIFICATE_TYPE); goto f_err; } - EVP_PKEY_free(pkey); } X509_free(s->session->peer); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 421a5a6f93..a2a68af6c9 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -786,16 +786,13 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) unsigned char comp_id, curve_id[2]; EVP_PKEY *pkey; int rv; - pkey = X509_get_pubkey(x); + pkey = X509_get0_pubkey(x); if (!pkey) return 0; /* If not EC nothing to do */ - if (pkey->type != EVP_PKEY_EC) { - EVP_PKEY_free(pkey); + if (pkey->type != EVP_PKEY_EC) return 1; - } rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); - EVP_PKEY_free(pkey); if (!rv) return 0; /* @@ -4254,7 +4251,7 @@ DH *ssl_get_auto_dh(SSL *s) static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) { int secbits = -1; - EVP_PKEY *pkey = X509_get_pubkey(x); + EVP_PKEY *pkey = X509_get0_pubkey(x); if (pkey) { /* * If no parameters this will return -1 and fail using the default @@ -4263,7 +4260,6 @@ static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) * omission of parameters is never (?) done in practice. */ secbits = EVP_PKEY_security_bits(pkey); - EVP_PKEY_free(pkey); } if (s) return ssl_security(s, op, secbits, 0, x); |