From 8382fd3a93cb076af5ad954613557152c878172f Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 20 Dec 2015 00:32:36 +0000 Subject: [PATCH] Use X509_get0_pubkey where appropriate Reviewed-by: Rich Salz --- crypto/cms/cms_env.c | 5 +---- crypto/ocsp/ocsp_vfy.c | 9 +++------ crypto/pkcs7/pk7_doit.c | 6 ++---- crypto/pkcs7/pk7_lib.c | 5 +---- crypto/x509/x509_cmp.c | 2 +- crypto/x509/x509_req.c | 3 +-- crypto/x509/x509type.c | 4 +--- ssl/ssl_rsa.c | 13 ++++--------- ssl/statem/statem_clnt.c | 24 ++++++++---------------- ssl/statem/statem_srvr.c | 10 +++------- ssl/t1_lib.c | 10 +++------- 11 files changed, 28 insertions(+), 63 deletions(-) diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index b9775e0ad2..a9a9d84e60 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -236,7 +236,7 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, if (!ri) goto merr; - pk = X509_get_pubkey(recip); + pk = X509_get0_pubkey(recip); if (!pk) { CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, CMS_R_ERROR_GETTING_PUBLIC_KEY); goto err; @@ -264,15 +264,12 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) goto merr; - EVP_PKEY_free(pk); - return ri; merr: CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE); err: M_ASN1_free_of(ri, CMS_RecipientInfo); - EVP_PKEY_free(pk); return NULL; } diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 629ebf0e29..87b5144b39 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -97,11 +97,9 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; - skey = X509_get_pubkey(signer); - if (skey) { + skey = X509_get0_pubkey(signer); + if (skey) ret = OCSP_BASICRESP_verify(bs, skey, 0); - EVP_PKEY_free(skey); - } if (!skey || ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; @@ -397,9 +395,8 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; - skey = X509_get_pubkey(signer); + skey = X509_get0_pubkey(signer); ret = OCSP_REQUEST_verify(req, skey); - EVP_PKEY_free(skey); if (ret <= 0) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE); return 0; diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 91864dceae..b2df65980b 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -142,7 +142,7 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, int ret = 0; size_t eklen; - pkey = X509_get_pubkey(ri->cert); + pkey = X509_get0_pubkey(ri->cert); if (!pkey) return 0; @@ -179,7 +179,6 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, ret = 1; err: - EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(pctx); OPENSSL_free(ek); return ret; @@ -1072,14 +1071,13 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, } os = si->enc_digest; - pkey = X509_get_pubkey(x509); + pkey = X509_get0_pubkey(x509); if (!pkey) { ret = -1; goto err; } i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey); - EVP_PKEY_free(pkey); if (i <= 0) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE); ret = -1; diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index b116f5a806..17e4de221a 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -523,7 +523,7 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) return 0; - pkey = X509_get_pubkey(x509); + pkey = X509_get0_pubkey(x509); if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) { PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET, @@ -543,15 +543,12 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) goto err; } - EVP_PKEY_free(pkey); - X509_up_ref(x509); p7i->cert = x509; return 1; err: - EVP_PKEY_free(pkey); return 0; } diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 9d9ea4b605..20834a079f 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -432,7 +432,7 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, rv = X509_V_ERR_SUITE_B_INVALID_VERSION; goto end; } - pk = X509_get_pubkey(x); + pk = X509_get0_pubkey(x); rv = check_suite_b(pk, sign_nid, &tflags); if (rv != X509_V_OK) goto end; diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index 8cc35b3365..b27f9f6010 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -92,11 +92,10 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x))) goto err; - pktmp = X509_get_pubkey(x); + pktmp = X509_get0_pubkey(x); if (pktmp == NULL) goto err; i = X509_REQ_set_pubkey(ret, pktmp); - EVP_PKEY_free(pktmp); if (!i) goto err; diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index a7695cad77..a9116e7c77 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -71,7 +71,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) return (0); if (pkey == NULL) - pk = X509_get_pubkey(x); + pk = X509_get0_pubkey(x); else pk = pkey; @@ -122,7 +122,5 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) } } - if (pkey == NULL) - EVP_PKEY_free(pk); return (ret); } diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index a23b28e76c..a02230d0f1 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -179,10 +179,9 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) if (c->pkeys[i].x509 != NULL) { EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(c->pkeys[i].x509); + pktmp = X509_get0_pubkey(c->pkeys[i].x509); if (pktmp == NULL) { SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE); - EVP_PKEY_free(pktmp); return 0; } /* @@ -190,7 +189,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) * ignored. Some EVP_PKEY types cannot do this. */ EVP_PKEY_copy_parameters(pktmp, pkey); - EVP_PKEY_free(pktmp); ERR_clear_error(); #ifndef OPENSSL_NO_RSA @@ -369,7 +367,7 @@ static int ssl_set_cert(CERT *c, X509 *x) EVP_PKEY *pkey; int i; - pkey = X509_get_pubkey(x); + pkey = X509_get0_pubkey(x); if (pkey == NULL) { SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); return (0); @@ -378,8 +376,7 @@ static int ssl_set_cert(CERT *c, X509 *x) i = ssl_cert_type(x, pkey); if (i < 0) { SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - EVP_PKEY_free(pkey); - return (0); + return 0; } if (c->pkeys[i].privatekey != NULL) { @@ -413,14 +410,12 @@ static int ssl_set_cert(CERT *c, X509 *x) } } - EVP_PKEY_free(pkey); - X509_free(c->pkeys[i].x509); X509_up_ref(x); c->pkeys[i].x509 = x; c->key = &(c->pkeys[i]); - return (1); + return 1; } #ifndef OPENSSL_NO_STDIO diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index a7c51dfca2..c0eeeed102 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1524,7 +1524,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) * VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end */ - pkey = X509_get_pubkey(x); + pkey = X509_get0_pubkey(x); if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { x = NULL; @@ -1570,7 +1570,6 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) err: ossl_statem_set_error(s); done: - EVP_PKEY_free(pkey); X509_free(x); sk_X509_pop_free(sk, X509_free); return ret; @@ -1686,7 +1685,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) /* We must check if there is a certificate */ if (alg_a & (SSL_aRSA|SSL_aDSS)) - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); } #endif /* !OPENSSL_NO_SRP */ #ifndef OPENSSL_NO_DH @@ -1739,7 +1738,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) goto f_err; } if (alg_a & (SSL_aRSA|SSL_aDSS)) - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); /* else anonymous DH, so no certificate or pkey. */ } #endif /* !OPENSSL_NO_DH */ @@ -1809,11 +1808,11 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) if (0) ; # ifndef OPENSSL_NO_RSA else if (alg_a & SSL_aRSA) - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); # endif # ifndef OPENSSL_NO_EC else if (alg_a & SSL_aECDSA) - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); # endif /* else anonymous ECDH, so no certificate or pkey. */ } else if (alg_k) { @@ -1912,13 +1911,11 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) goto f_err; } } - EVP_PKEY_free(pkey); EVP_MD_CTX_free(md_ctx); return MSG_PROCESS_CONTINUE_READING; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - EVP_PKEY_free(pkey); #ifndef OPENSSL_NO_RSA RSA_free(rsa); #endif @@ -2363,12 +2360,11 @@ psk_err: goto err; } - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - EVP_PKEY_free(pkey); goto err; } @@ -2501,7 +2497,6 @@ psk_err: unsigned int md_len; unsigned char shared_ukm[32], tmp[256]; EVP_MD_CTX *ukm_hash; - EVP_PKEY *pub_key; int dgst_nid = NID_id_GostR3411_94; if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) dgst_nid = NID_id_GostR3411_2012_256; @@ -2522,8 +2517,7 @@ psk_err: goto err; } - pkey_ctx = EVP_PKEY_CTX_new(pub_key = - X509_get_pubkey(peer_cert), NULL); + pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL); if (pkey_ctx == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); @@ -2611,7 +2605,6 @@ psk_err: s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; } EVP_PKEY_CTX_free(pkey_ctx); - EVP_PKEY_free(pub_key); } #endif @@ -2963,9 +2956,8 @@ int ssl3_check_cert_and_algorithm(SSL *s) goto f_err; } #endif - pkey = X509_get_pubkey(s->session->peer); + pkey = X509_get0_pubkey(s->session->peer); i = X509_certificate_type(s->session->peer, pkey); - EVP_PKEY_free(pkey); /* Check that we have a certificate if we require one */ if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 38f01e1054..66ff3e61e2 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2553,7 +2553,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) * EVP_PKEY_derive_set_peer, because it is completely valid to use a * client certificate for authorization only. */ - client_pub_pkey = X509_get_pubkey(s->session->peer); + client_pub_pkey = X509_get0_pubkey(s->session->peer); if (client_pub_pkey) { if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) ERR_clear_error(); @@ -2595,11 +2595,9 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) s->statem.no_cert_verify = 1; - EVP_PKEY_free(client_pub_pkey); EVP_PKEY_CTX_free(pkey_ctx); return MSG_PROCESS_CONTINUE_PROCESSING; gerr: - EVP_PKEY_free(client_pub_pkey); EVP_PKEY_CTX_free(pkey_ctx); goto f_err; } else @@ -2725,7 +2723,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } peer = s->session->peer; - pkey = X509_get_pubkey(peer); + pkey = X509_get0_pubkey(peer); type = X509_certificate_type(peer, pkey); if (!(type & EVP_PKT_SIGN)) { @@ -2842,7 +2840,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) BIO_free(s->s3->handshake_buffer); s->s3->handshake_buffer = NULL; EVP_MD_CTX_free(mctx); - EVP_PKEY_free(pkey); return ret; } @@ -2931,14 +2928,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) al = SSL_AD_HANDSHAKE_FAILURE; goto f_err; } - pkey = X509_get_pubkey(sk_X509_value(sk, 0)); + pkey = X509_get0_pubkey(sk_X509_value(sk, 0)); if (pkey == NULL) { al = SSL3_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_UNKNOWN_CERTIFICATE_TYPE); goto f_err; } - EVP_PKEY_free(pkey); } X509_free(s->session->peer); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 421a5a6f93..a2a68af6c9 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -786,16 +786,13 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) unsigned char comp_id, curve_id[2]; EVP_PKEY *pkey; int rv; - pkey = X509_get_pubkey(x); + pkey = X509_get0_pubkey(x); if (!pkey) return 0; /* If not EC nothing to do */ - if (pkey->type != EVP_PKEY_EC) { - EVP_PKEY_free(pkey); + if (pkey->type != EVP_PKEY_EC) return 1; - } rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); - EVP_PKEY_free(pkey); if (!rv) return 0; /* @@ -4254,7 +4251,7 @@ DH *ssl_get_auto_dh(SSL *s) static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) { int secbits = -1; - EVP_PKEY *pkey = X509_get_pubkey(x); + EVP_PKEY *pkey = X509_get0_pubkey(x); if (pkey) { /* * If no parameters this will return -1 and fail using the default @@ -4263,7 +4260,6 @@ static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) * omission of parameters is never (?) done in practice. */ secbits = EVP_PKEY_security_bits(pkey); - EVP_PKEY_free(pkey); } if (s) return ssl_security(s, op, secbits, 0, x); -- 2.34.1