free cleanup almost the finale
Add OPENSSL_clear_free which merges cleanse and free.
(Names was picked to be similar to BN_clear_free, etc.)
Removed OPENSSL_freeFunc macro.
Fixed the small simple ones that are left:
CRYPTO_free CRYPTO_free_locked OPENSSL_free_locked
Reviewed-by: Richard Levitte <levitte@openssl.org>
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index bbff778..71756cd 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3073,8 +3073,7 @@
s->
session->master_key,
pms, pmslen);
- OPENSSL_cleanse(pms, pmslen);
- OPENSSL_free(pms);
+ OPENSSL_clear_free(pms, pmslen);
s->cert->pms = NULL;
if (s->session->master_key_length < 0) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
@@ -3087,11 +3086,8 @@
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
err:
- if (pms) {
- OPENSSL_cleanse(pms, pmslen);
- OPENSSL_free(pms);
- s->cert->pms = NULL;
- }
+ OPENSSL_clear_free(pms, pmslen);
+ s->cert->pms = NULL;
#ifndef OPENSSL_NO_EC
BN_CTX_free(bn_ctx);
if (encodedPoint != NULL)
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 8fc5bc4..df86f5b 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -471,11 +471,8 @@
void ssl3_cleanup_key_block(SSL *s)
{
- if (s->s3->tmp.key_block != NULL) {
- OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
- OPENSSL_free(s->s3->tmp.key_block);
- s->s3->tmp.key_block = NULL;
- }
+ OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
+ s->s3->tmp.key_block = NULL;
s->s3->tmp.key_block_length = 0;
}
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ef2ddb4..190d0f1 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3138,8 +3138,7 @@
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
#endif
- OPENSSL_cleanse(s->s3, sizeof *s->s3);
- OPENSSL_free(s->s3);
+ OPENSSL_clear_free(s->s3, sizeof *s->s3);
s->s3 = NULL;
}
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 0ae9646..a15c5f9 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -465,11 +465,8 @@
custom_exts_free(&c->cli_ext);
custom_exts_free(&c->srv_ext);
#endif
- if (c->pms) {
- OPENSSL_cleanse(c->pms, c->pmslen);
- OPENSSL_free(c->pms);
- c->pms = NULL;
- }
+ OPENSSL_clear_free(c->pms, c->pmslen);
+ c->pms = NULL;
OPENSSL_free(c);
}
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index eed38ca..cec5905 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -759,8 +759,7 @@
if (ss->srp_username != NULL)
OPENSSL_free(ss->srp_username);
#endif
- OPENSSL_cleanse(ss, sizeof(*ss));
- OPENSSL_free(ss);
+ OPENSSL_clear_free(ss, sizeof(*ss));
}
int SSL_set_session(SSL *s, SSL_SESSION *session)
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 1f58ed0..edb6558 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -717,10 +717,7 @@
ret = 1;
err:
- if (p2) {
- OPENSSL_cleanse(p2, num);
- OPENSSL_free(p2);
- }
+ OPENSSL_clear_free(p2, num);
return (ret);
}
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index 33d398f..5d895cc 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -339,7 +339,7 @@
int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key)
{
BIGNUM *K = NULL, *u = NULL;
- int ret = -1, tmp_len;
+ int ret = -1, tmp_len = 0;
unsigned char *tmp = NULL;
if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
@@ -360,10 +360,7 @@
s->method->ssl3_enc->generate_master_secret(s, master_key, tmp,
tmp_len);
err:
- if (tmp) {
- OPENSSL_cleanse(tmp, tmp_len);
- OPENSSL_free(tmp);
- }
+ OPENSSL_clear_free(tmp, tmp_len);
BN_clear_free(K);
BN_clear_free(u);
return ret;
@@ -373,7 +370,7 @@
int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key)
{
BIGNUM *x = NULL, *u = NULL, *K = NULL;
- int ret = -1, tmp_len;
+ int ret = -1, tmp_len = 0;
char *passwd = NULL;
unsigned char *tmp = NULL;
@@ -407,16 +404,10 @@
s->method->ssl3_enc->generate_master_secret(s, master_key, tmp,
tmp_len);
err:
- if (tmp) {
- OPENSSL_cleanse(tmp, tmp_len);
- OPENSSL_free(tmp);
- }
+ OPENSSL_clear_free(tmp, tmp_len);
BN_clear_free(K);
BN_clear_free(x);
- if (passwd) {
- OPENSSL_cleanse(passwd, strlen(passwd));
- OPENSSL_free(passwd);
- }
+ OPENSSL_clear_free(passwd, strlen(passwd));
BN_clear_free(u);
return ret;
}