jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

OpenSSL: Remove unnecessary os_strdup() from password callback

Browse source 
There's no need to make an extra copy of private_key_passwd for
SSL_{CTX_,}set_default_passwd_cb().

Signed-off-by: David Benjamin <davidben@google.com>
This commit is contained in:
David Benjamin 2017-09-18 00:33:43 -04:00 committed by Jouni Malinen
parent b65353a767
commit 149143e31d
1 changed files with 11 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
src/crypto/tls_openssl.c
View file

@ -3039,19 +3039,11 @@ static int tls_connection_private_key(struct tls_data *data,
size_t private_key_blob_len) size_t private_key_blob_len)
{ {
SSL_CTX *ssl_ctx = data->ssl; SSL_CTX *ssl_ctx = data->ssl;
char *passwd;
int ok; int ok;
if (private_key == NULL && private_key_blob == NULL) if (private_key == NULL && private_key_blob == NULL)
return 0; return 0;
if (private_key_passwd) {
passwd = os_strdup(private_key_passwd);
if (passwd == NULL)
return -1;
} else
passwd = NULL;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #if OPENSSL_VERSION_NUMBER >= 0x10100000L
#ifndef LIBRESSL_VERSION_NUMBER #ifndef LIBRESSL_VERSION_NUMBER
#ifndef OPENSSL_IS_BORINGSSL #ifndef OPENSSL_IS_BORINGSSL
@ -3060,13 +3052,15 @@ static int tls_connection_private_key(struct tls_data *data,
* from the SSL object. See OpenSSL commit d61461a75253. * from the SSL object. See OpenSSL commit d61461a75253.
*/ */
SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); SSL_set_default_passwd_cb_userdata(conn->ssl,
(void *) private_key_passwd);
#endif /* !BoringSSL */ #endif /* !BoringSSL */
#endif /* !LibreSSL */ #endif /* !LibreSSL */
#endif /* >= 1.1.0f && */ #endif /* >= 1.1.0f && */
/* Keep these for OpenSSL < 1.1.0f */ /* Keep these for OpenSSL < 1.1.0f */
SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx,
(void *) private_key_passwd);
ok = 0; ok = 0;
while (private_key_blob) { while (private_key_blob) {
@ -3098,7 +3092,8 @@ static int tls_connection_private_key(struct tls_data *data,
} }
if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob, if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob,
private_key_blob_len, passwd) == 0) { private_key_blob_len,
private_key_passwd) == 0) {
wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> " wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> "
"OK"); "OK");
ok = 1; ok = 1;
@ -3130,8 +3125,8 @@ static int tls_connection_private_key(struct tls_data *data,
__func__); __func__);
#endif /* OPENSSL_NO_STDIO */ #endif /* OPENSSL_NO_STDIO */
if (tls_read_pkcs12(data, conn->ssl, private_key, passwd) if (tls_read_pkcs12(data, conn->ssl, private_key,
== 0) { private_key_passwd) == 0) {
wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file " wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file "
"--> OK"); "--> OK");
ok = 1; ok = 1;
@ -3152,12 +3147,10 @@ static int tls_connection_private_key(struct tls_data *data,
tls_show_errors(MSG_INFO, __func__, tls_show_errors(MSG_INFO, __func__,
"Failed to load private key"); "Failed to load private key");
tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
os_free(passwd);
return -1; return -1;
} }
ERR_clear_error(); ERR_clear_error();
tls_clear_default_passwd_cb(ssl_ctx, conn->ssl); tls_clear_default_passwd_cb(ssl_ctx, conn->ssl);
os_free(passwd);
if (!SSL_check_private_key(conn->ssl)) { if (!SSL_check_private_key(conn->ssl)) {
tls_show_errors(MSG_INFO, __func__, "Private key failed " tls_show_errors(MSG_INFO, __func__, "Private key failed "
@ -3175,20 +3168,13 @@ static int tls_global_private_key(struct tls_data *data,
const char *private_key_passwd) const char *private_key_passwd)
{ {
SSL_CTX *ssl_ctx = data->ssl; SSL_CTX *ssl_ctx = data->ssl;
char *passwd;
if (private_key == NULL) if (private_key == NULL)
return 0; return 0;
if (private_key_passwd) {
passwd = os_strdup(private_key_passwd);
if (passwd == NULL)
return -1;
} else
passwd = NULL;
SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx,
(void *) private_key_passwd);
if ( if (
#ifndef OPENSSL_NO_STDIO #ifndef OPENSSL_NO_STDIO
SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key, SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key,
@ -3196,16 +3182,14 @@ static int tls_global_private_key(struct tls_data *data,
SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key, SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key,
SSL_FILETYPE_PEM) != 1 && SSL_FILETYPE_PEM) != 1 &&
#endif /* OPENSSL_NO_STDIO */ #endif /* OPENSSL_NO_STDIO */
tls_read_pkcs12(data, NULL, private_key, passwd)) { tls_read_pkcs12(data, NULL, private_key, private_key_passwd)) {
tls_show_errors(MSG_INFO, __func__, tls_show_errors(MSG_INFO, __func__,
"Failed to load private key"); "Failed to load private key");
tls_clear_default_passwd_cb(ssl_ctx, NULL); tls_clear_default_passwd_cb(ssl_ctx, NULL);
os_free(passwd);
ERR_clear_error(); ERR_clear_error();
return -1; return -1;
} }
tls_clear_default_passwd_cb(ssl_ctx, NULL); tls_clear_default_passwd_cb(ssl_ctx, NULL);
os_free(passwd);
ERR_clear_error(); ERR_clear_error();
if (!SSL_CTX_check_private_key(ssl_ctx)) { if (!SSL_CTX_check_private_key(ssl_ctx)) {