Free generated supp data after handshake completion, add comment regarding use of...

[openssl.git] / apps / s_server.c

diff --git a/apps/s_server.c b/apps/s_server.c
index d3b2d4ae159693e46e5db58e7c8a1ea354400843..44acb1e79aee4c035de3051e5c2ef48f0ea990bb 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -229,8 +229,10 @@ static void s_server_init(void);
 
 static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
 
-static const unsigned char *most_recent_supplemental_data;
-static size_t most_recent_supplemental_data_length;
+static unsigned char *generated_supp_data = NULL;
+
+static unsigned char *most_recent_supplemental_data = NULL;
+static size_t most_recent_supplemental_data_length = 0;
 
 static int client_provided_server_authz = 0;
 static int client_provided_client_authz = 0;
@@ -1056,7 +1058,7 @@ int MAIN(int argc, char *argv[])
        EVP_PKEY *s_key = NULL, *s_dkey = NULL;
        int no_cache = 0, ext_cache = 0;
        int rev = 0, naccept = -1;
-    int c_no_resumption_on_reneg = 0;
+       int c_no_resumption_on_reneg = 0;
 #ifndef OPENSSL_NO_TLSEXT
        EVP_PKEY *s_key2 = NULL;
        X509 *s_cert2 = NULL;
@@ -1961,10 +1963,8 @@ bad:
                }
 #endif
 
-    if (c_no_resumption_on_reneg)
-        {
-        SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
-        }
+       if (c_no_resumption_on_reneg)
+               SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
        if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
                goto end;
 #ifndef OPENSSL_NO_TLSEXT
@@ -2675,6 +2675,13 @@ static int init_ssl_connection(SSL *con)
                        i=SSL_accept(con);
                }
 #endif
+       /*handshake is complete - free the generated supp data allocated in the callback */
+       if (generated_supp_data)
+               {
+        OPENSSL_free(generated_supp_data);
+               generated_supp_data = NULL;
+               }
+
        if (i <= 0)
                {
                if (BIO_sock_should_retry(i))
@@ -3569,18 +3576,12 @@ static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
                           void *arg)
        {
        if (TLSEXT_TYPE_server_authz == ext_type)
-               {
-               client_provided_server_authz = (memchr(in,
-               TLSEXT_AUTHZDATAFORMAT_dtcp,
-               inlen) != NULL);
-               }
+               client_provided_server_authz
+                 = memchr(in,  TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
 
        if (TLSEXT_TYPE_client_authz == ext_type)
-               {
-               client_provided_client_authz = (memchr(in,
-               TLSEXT_AUTHZDATAFORMAT_dtcp,
-               inlen) != NULL);
-               }
+               client_provided_client_authz
+                 = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
 
        return 1;
        }
@@ -3591,14 +3592,17 @@ static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
        {
        if (c_auth && client_provided_client_authz && client_provided_server_authz)
                {
-               if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
+               /*if auth_require_reneg flag is set, only send extensions if
+                 renegotiation has occurred */
+               if (!c_auth_require_reneg
+                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
                        {
                        *out = auth_ext_data;
                        *outlen = 1;
                        return 1;
                        }
                }
-       //no auth extension to send
+       /* no auth extension to send */
        return -1;
        }
 
@@ -3619,19 +3623,21 @@ static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
                                     const unsigned char **out,
                                     unsigned short *outlen, void *arg)
        {
-       unsigned char *result;
        if (c_auth && client_provided_client_authz && client_provided_server_authz)
                {
-               if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
+               /*if auth_require_reneg flag is set, only send supplemental data if
+                 renegotiation has occurred */
+               if (!c_auth_require_reneg
+                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
                        {
-                       result = OPENSSL_malloc(10);
-                       memcpy(result, "1234512345", 10);
-                       *out = result;
+                       generated_supp_data = OPENSSL_malloc(10);
+                       memcpy(generated_supp_data, "1234512345", 10);
+                       *out = generated_supp_data;
                        *outlen = 10;
                        return 1;
                        }
                }
-       //no supplemental data to send
+       /* no supplemental data to send */
        return -1;
        }
 #endif