clear/cleanse cleanup

[openssl.git] / ssl / s3_enc.c

diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index d3269245d3f9ac41099cda3e4202303c5646d254..dd93e251ae727fc4139f2d3224c873e06bcb1ef5 100644 (file)
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -206,7 +206,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 
         km += MD5_DIGEST_LENGTH;
     }
-    OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
+    OPENSSL_cleanse(smd, sizeof(smd));
     EVP_MD_CTX_cleanup(&m5);
     EVP_MD_CTX_cleanup(&s1);
     return 1;
@@ -244,7 +244,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
         if (s->enc_read_ctx != NULL)
             reuse_dd = 1;
         else if ((s->enc_read_ctx =
-                  OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
+                  OPENSSL_malloc(sizeof(*s->enc_read_ctx))) == NULL)
             goto err;
         else
             /*
@@ -253,16 +253,14 @@ int ssl3_change_cipher_state(SSL *s, int which)
             EVP_CIPHER_CTX_init(s->enc_read_ctx);
         dd = s->enc_read_ctx;
 
-        if(!ssl_replace_hash(&s->read_hash, m)) {
+        if (!ssl_replace_hash(&s->read_hash, m)) {
                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
                 goto err2;
         }
 #ifndef OPENSSL_NO_COMP
         /* COMPRESS */
-        if (s->expand != NULL) {
-            COMP_CTX_free(s->expand);
-            s->expand = NULL;
-        }
+        COMP_CTX_free(s->expand);
+        s->expand = NULL;
         if (comp != NULL) {
             s->expand = COMP_CTX_new(comp);
             if (s->expand == NULL) {
@@ -270,18 +268,17 @@ int ssl3_change_cipher_state(SSL *s, int which)
                        SSL_R_COMPRESSION_LIBRARY_ERROR);
                 goto err2;
             }
-            if(!SSL3_RECORD_setup(RECORD_LAYER_get_rrec(&s->rlayer),
-                SSL3_RT_MAX_PLAIN_LENGTH))
+            if (!RECORD_LAYER_setup_comp_buffer(&s->rlayer))
                 goto err;
         }
 #endif
-        memset(&(s->s3->read_sequence[0]), 0, 8);
+        RECORD_LAYER_reset_read_sequence(&s->rlayer);
         mac_secret = &(s->s3->read_mac_secret[0]);
     } else {
         if (s->enc_write_ctx != NULL)
             reuse_dd = 1;
         else if ((s->enc_write_ctx =
-                  OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
+                  OPENSSL_malloc(sizeof(*s->enc_write_ctx))) == NULL)
             goto err;
         else
             /*
@@ -289,16 +286,14 @@ int ssl3_change_cipher_state(SSL *s, int which)
              */
             EVP_CIPHER_CTX_init(s->enc_write_ctx);
         dd = s->enc_write_ctx;
-        if(!ssl_replace_hash(&s->write_hash, m)) {
+        if (!ssl_replace_hash(&s->write_hash, m)) {
                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
                 goto err2;
         }
 #ifndef OPENSSL_NO_COMP
         /* COMPRESS */
-        if (s->compress != NULL) {
-            COMP_CTX_free(s->compress);
-            s->compress = NULL;
-        }
+        COMP_CTX_free(s->compress);
+        s->compress = NULL;
         if (comp != NULL) {
             s->compress = COMP_CTX_new(comp);
             if (s->compress == NULL) {
@@ -308,7 +303,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
             }
         }
 #endif
-        memset(&(s->s3->write_sequence[0]), 0, 8);
+        RECORD_LAYER_reset_write_sequence(&s->rlayer);
         mac_secret = &(s->s3->write_mac_secret[0]);
     }
 
@@ -393,13 +388,15 @@ int ssl3_change_cipher_state(SSL *s, int which)
     }
 #endif
 
-    OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
-    OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
+    OPENSSL_cleanse(exp_key, sizeof(exp_key));
+    OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
     EVP_MD_CTX_cleanup(&md);
     return (1);
  err:
     SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
  err2:
+    OPENSSL_cleanse(exp_key, sizeof(exp_key));
+    OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
     return (0);
 }
 
@@ -472,11 +469,8 @@ int ssl3_setup_key_block(SSL *s)
 
 void ssl3_cleanup_key_block(SSL *s)
 {
-    if (s->s3->tmp.key_block != NULL) {
-        OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
-        OPENSSL_free(s->s3->tmp.key_block);
-        s->s3->tmp.key_block = NULL;
-    }
+    OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
+    s->s3->tmp.key_block = NULL;
     s->s3->tmp.key_block_length = 0;
 }
 
@@ -527,12 +521,13 @@ int ssl3_digest_cached_records(SSL *s)
     /* Allocate handshake_dgst array */
     ssl3_free_digest_list(s);
     s->s3->handshake_dgst =
-        OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
+        OPENSSL_malloc(sizeof(*s->s3->handshake_dgst) * SSL_MAX_DIGEST);
     if (s->s3->handshake_dgst == NULL) {
         SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
         return 0;
     }
-    memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
+    memset(s->s3->handshake_dgst, 0,
+           sizeof(*s->s3->handshake_dgst) * SSL_MAX_DIGEST);
     hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
     if (hdatalen <= 0) {
         SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
@@ -639,17 +634,6 @@ static int ssl3_handshake_mac(SSL *s, int md_nid,
     return ((int)ret);
 }
 
-void ssl3_record_sequence_update(unsigned char *seq)
-{
-    int i;
-
-    for (i = 7; i >= 0; i--) {
-        ++seq[i];
-        if (seq[i] != 0)
-            break;
-    }
-}
-
 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
                                 int len)
 {
@@ -705,7 +689,7 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
                         s, s->msg_callback_arg);
     }
 #endif
-    OPENSSL_cleanse(buf, sizeof buf);
+    OPENSSL_cleanse(buf, sizeof(buf));
     return (ret);
 }