mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 09:15:43 +01:00
Rework SNI to fix memory issues
This commit is contained in:
parent
b095a7bf29
commit
8372454615
@ -493,8 +493,16 @@ struct _ssl_handshake_params
|
||||
const ecp_curve_info **curves; /*!< Supported elliptic curves */
|
||||
#endif
|
||||
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
||||
ssl_key_cert *key_cert; /*!< Own key/cert in use */
|
||||
int free_key_cert; /*!< Shall we free key_cert? */
|
||||
/**
|
||||
* Current key/cert or key/cert list.
|
||||
* On client: pointer to ssl->key_cert, only the first entry used.
|
||||
* On server: starts as a pointer to ssl->key_cert, then becomes
|
||||
* a pointer to the chosen key from this list or the SNI list.
|
||||
*/
|
||||
ssl_key_cert *key_cert;
|
||||
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
||||
ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -339,8 +339,8 @@ static int ssl_parse_ticket( ssl_context *ssl,
|
||||
|
||||
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
||||
/*
|
||||
* Wrapper around f_sni, allowing use of
|
||||
* ssl_set_own_cert() but making it act on ssl->hanshake->key_cert instead.
|
||||
* Wrapper around f_sni, allowing use of ssl_set_own_cert() but
|
||||
* making it act on ssl->hanshake->sni_key_cert instead.
|
||||
*/
|
||||
static int ssl_sni_wrapper( ssl_context *ssl,
|
||||
const unsigned char* name, size_t len )
|
||||
@ -350,8 +350,7 @@ static int ssl_sni_wrapper( ssl_context *ssl,
|
||||
|
||||
ssl->key_cert = NULL;
|
||||
ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
|
||||
ssl->handshake->key_cert = ssl->key_cert;
|
||||
ssl->handshake->free_key_cert = 1;
|
||||
ssl->handshake->sni_key_cert = ssl->key_cert;
|
||||
|
||||
ssl->key_cert = key_cert_ori;
|
||||
|
||||
@ -933,13 +932,20 @@ static int ssl_key_matches_curves( pk_context *pk,
|
||||
static int ssl_pick_cert( ssl_context *ssl,
|
||||
const ssl_ciphersuite_t * ciphersuite_info )
|
||||
{
|
||||
ssl_key_cert *cur;
|
||||
ssl_key_cert *cur, *list;
|
||||
pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||
|
||||
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
||||
if( ssl->handshake->sni_key_cert != NULL )
|
||||
list = ssl->handshake->sni_key_cert;
|
||||
else
|
||||
#endif
|
||||
list = ssl->handshake->key_cert;
|
||||
|
||||
if( pk_alg == POLARSSL_PK_NONE )
|
||||
return( 0 );
|
||||
|
||||
for( cur = ssl->key_cert; cur != NULL; cur = cur->next )
|
||||
for( cur = list; cur != NULL; cur = cur->next )
|
||||
{
|
||||
if( ! pk_can_do( cur->key, pk_alg ) )
|
||||
continue;
|
||||
|
@ -4170,9 +4170,23 @@ void ssl_handshake_free( ssl_handshake_params *handshake )
|
||||
polarssl_free( handshake->curves );
|
||||
#endif
|
||||
|
||||
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
||||
if( handshake->free_key_cert != 0 )
|
||||
ssl_key_cert_free( handshake->key_cert );
|
||||
#if defined(POLARSSL_X509_CRT_PARSE_C) && \
|
||||
defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
||||
/*
|
||||
* Free only the linked list wrapper, not the keys themselves
|
||||
* since the belong to the SNI callback
|
||||
*/
|
||||
if( handshake->sni_key_cert != NULL )
|
||||
{
|
||||
ssl_key_cert *cur = handshake->sni_key_cert, *next;
|
||||
|
||||
while( cur != NULL )
|
||||
{
|
||||
next = cur->next;
|
||||
polarssl_free( cur );
|
||||
cur = next;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
memset( handshake, 0, sizeof( ssl_handshake_params ) );
|
||||
|
Loading…
Reference in New Issue
Block a user