yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-24 22:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rework SNI to fix memory issues

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2013-09-24 22:30:56 +02:00
parent b095a7bf29
commit 8372454615
3 changed files with 39 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
include/polarssl/ssl.h
View file

@ -493,8 +493,16 @@ struct _ssl_handshake_params
const ecp_curve_info **curves; /*!< Supported elliptic curves */ const ecp_curve_info **curves; /*!< Supported elliptic curves */
#endif #endif
#if defined(POLARSSL_X509_CRT_PARSE_C) #if defined(POLARSSL_X509_CRT_PARSE_C)
ssl_key_cert *key_cert; /*!< Own key/cert in use */ /**
int free_key_cert; /*!< Shall we free key_cert? */ * Current key/cert or key/cert list.
* On client: pointer to ssl->key_cert, only the first entry used.
* On server: starts as a pointer to ssl->key_cert, then becomes
* a pointer to the chosen key from this list or the SNI list.
*/
ssl_key_cert *key_cert;
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
#endif
#endif #endif
/* /*

18
library/ssl_srv.c
View file

@ -339,8 +339,8 @@ static int ssl_parse_ticket( ssl_context *ssl,
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
/* /*
* Wrapper around f_sni, allowing use of * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
* ssl_set_own_cert() but making it act on ssl->hanshake->key_cert instead. * making it act on ssl->hanshake->sni_key_cert instead.
*/ */
static int ssl_sni_wrapper( ssl_context *ssl, static int ssl_sni_wrapper( ssl_context *ssl,
const unsigned char* name, size_t len ) const unsigned char* name, size_t len )
@ -350,8 +350,7 @@ static int ssl_sni_wrapper( ssl_context *ssl,
ssl->key_cert = NULL; ssl->key_cert = NULL;
ret = ssl->f_sni( ssl->p_sni, ssl, name, len ); ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
ssl->handshake->key_cert = ssl->key_cert; ssl->handshake->sni_key_cert = ssl->key_cert;
ssl->handshake->free_key_cert = 1;
ssl->key_cert = key_cert_ori; ssl->key_cert = key_cert_ori;
@ -933,13 +932,20 @@ static int ssl_key_matches_curves( pk_context *pk,
static int ssl_pick_cert( ssl_context *ssl, static int ssl_pick_cert( ssl_context *ssl,
const ssl_ciphersuite_t * ciphersuite_info ) const ssl_ciphersuite_t * ciphersuite_info )
{ {
ssl_key_cert *cur; ssl_key_cert *cur, *list;
pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_key_cert != NULL )
list = ssl->handshake->sni_key_cert;
else
#endif
list = ssl->handshake->key_cert;
if( pk_alg == POLARSSL_PK_NONE ) if( pk_alg == POLARSSL_PK_NONE )
return( 0 ); return( 0 );
for( cur = ssl->key_cert; cur != NULL; cur = cur->next ) for( cur = list; cur != NULL; cur = cur->next )
{ {
if( ! pk_can_do( cur->key, pk_alg ) ) if( ! pk_can_do( cur->key, pk_alg ) )
continue; continue;

20
library/ssl_tls.c
View file

@ -4170,9 +4170,23 @@ void ssl_handshake_free( ssl_handshake_params *handshake )
polarssl_free( handshake->curves ); polarssl_free( handshake->curves );
#endif #endif
#if defined(POLARSSL_X509_CRT_PARSE_C) #if defined(POLARSSL_X509_CRT_PARSE_C) && \
if( handshake->free_key_cert != 0 ) defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
ssl_key_cert_free( handshake->key_cert ); /*
* Free only the linked list wrapper, not the keys themselves
* since the belong to the SNI callback
*/
if( handshake->sni_key_cert != NULL )
{
ssl_key_cert *cur = handshake->sni_key_cert, *next;
while( cur != NULL )
{
next = cur->next;
polarssl_free( cur );
cur = next;
}
}
#endif #endif
memset( handshake, 0, sizeof( ssl_handshake_params ) ); memset( handshake, 0, sizeof( ssl_handshake_params ) );