STACK_OF(EVP_CIPHER) *cipher_stack = stack;
if (is_cipher_fetchable(cipher)
- && sk_EVP_CIPHER_push(cipher_stack, cipher) > 0)
- EVP_CIPHER_up_ref(cipher);
+ && EVP_CIPHER_up_ref(cipher)
+ && sk_EVP_CIPHER_push(cipher_stack, cipher) <= 0)
+ EVP_CIPHER_free(cipher); /* up-ref successful but push to stack failed */
}
static void list_ciphers(const char *prefix)
STACK_OF(EVP_MD) *digest_stack = stack;
if (is_digest_fetchable(digest)
- && sk_EVP_MD_push(digest_stack, digest) > 0)
- EVP_MD_up_ref(digest);
+ && EVP_MD_up_ref(digest)
+ && sk_EVP_MD_push(digest_stack, digest) <= 0)
+ EVP_MD_free(digest); /* up-ref successful but push to stack failed */
}
static void list_digests(const char *prefix)
STACK_OF(EVP_KDF) *kdf_stack = stack;
if (is_kdf_fetchable(kdf)
- && sk_EVP_KDF_push(kdf_stack, kdf) > 0)
- EVP_KDF_up_ref(kdf);
+ && EVP_KDF_up_ref(kdf)
+ && sk_EVP_KDF_push(kdf_stack, kdf) <= 0)
+ EVP_KDF_free(kdf); /* up-ref successful but push to stack failed */
}
static void list_kdfs(void)
STACK_OF(EVP_RAND) *rand_stack = stack;
if (is_rand_fetchable(rand)
- && sk_EVP_RAND_push(rand_stack, rand) > 0)
- EVP_RAND_up_ref(rand);
+ && EVP_RAND_up_ref(rand)
+ && sk_EVP_RAND_push(rand_stack, rand) <= 0)
+ EVP_RAND_free(rand); /* up-ref successful but push to stack failed */
}
static void list_random_generators(void)
STACK_OF(OSSL_ENCODER) *encoder_stack = stack;
if (is_encoder_fetchable(encoder)
- && sk_OSSL_ENCODER_push(encoder_stack, encoder) > 0)
- OSSL_ENCODER_up_ref(encoder);
+ && OSSL_ENCODER_up_ref(encoder)
+ && sk_OSSL_ENCODER_push(encoder_stack, encoder) <= 0)
+ OSSL_ENCODER_free(encoder); /* up-ref successful but push to stack failed */
}
static void list_encoders(void)
STACK_OF(OSSL_DECODER) *decoder_stack = stack;
if (is_decoder_fetchable(decoder)
- && sk_OSSL_DECODER_push(decoder_stack, decoder) > 0)
- OSSL_DECODER_up_ref(decoder);
+ && OSSL_DECODER_up_ref(decoder)
+ && sk_OSSL_DECODER_push(decoder_stack, decoder) <= 0)
+ OSSL_DECODER_free(decoder); /* up-ref successful but push to stack failed */
}
static void list_decoders(void)
STACK_OF(EVP_KEYMGMT) *km_stack = stack;
if (is_keymgmt_fetchable(km)
- && sk_EVP_KEYMGMT_push(km_stack, km) > 0)
- EVP_KEYMGMT_up_ref(km);
+ && EVP_KEYMGMT_up_ref(km)
+ && sk_EVP_KEYMGMT_push(km_stack, km) <= 0)
+ EVP_KEYMGMT_free(km); /* up-ref successful but push to stack failed */
}
static void list_keymanagers(void)
STACK_OF(EVP_SIGNATURE) *sig_stack = stack;
if (is_signature_fetchable(sig)
- && sk_EVP_SIGNATURE_push(sig_stack, sig) > 0)
- EVP_SIGNATURE_up_ref(sig);
+ && EVP_SIGNATURE_up_ref(sig)
+ && sk_EVP_SIGNATURE_push(sig_stack, sig) <= 0)
+ EVP_SIGNATURE_free(sig); /* up-ref successful but push to stack failed */
}
static void list_signatures(void)
STACK_OF(EVP_KEM) *kem_stack = stack;
if (is_kem_fetchable(kem)
- && sk_EVP_KEM_push(kem_stack, kem) > 0)
- EVP_KEM_up_ref(kem);
+ && EVP_KEM_up_ref(kem)
+ && sk_EVP_KEM_push(kem_stack, kem) <= 0)
+ EVP_KEM_free(kem); /* up-ref successful but push to stack failed */
}
static void list_kems(void)
STACK_OF(EVP_ASYM_CIPHER) *asym_cipher_stack = stack;
if (is_asym_cipher_fetchable(asym_cipher)
- && sk_EVP_ASYM_CIPHER_push(asym_cipher_stack, asym_cipher) > 0)
- EVP_ASYM_CIPHER_up_ref(asym_cipher);
+ && EVP_ASYM_CIPHER_up_ref(asym_cipher)
+ && sk_EVP_ASYM_CIPHER_push(asym_cipher_stack, asym_cipher) <= 0)
+ EVP_ASYM_CIPHER_free(asym_cipher); /* up-ref successful but push to stack failed */
}
static void list_asymciphers(void)
STACK_OF(EVP_KEYEXCH) *kex_stack = stack;
if (is_keyexch_fetchable(kex)
- && sk_EVP_KEYEXCH_push(kex_stack, kex) > 0)
- EVP_KEYEXCH_up_ref(kex);
+ && EVP_KEYEXCH_up_ref(kex)
+ && sk_EVP_KEYEXCH_push(kex_stack, kex) <= 0)
+ EVP_KEYEXCH_free(kex); /* up-ref successful but push to stack failed */
}
static void list_keyexchanges(void)
{
STACK_OF(OSSL_STORE_LOADER) *store_stack = stack;
- if (sk_OSSL_STORE_LOADER_push(store_stack, store) > 0)
- OSSL_STORE_LOADER_up_ref(store);
+ if (OSSL_STORE_LOADER_up_ref(store)
+ && sk_OSSL_STORE_LOADER_push(store_stack, store) <= 0)
+ OSSL_STORE_LOADER_free(store); /* up-ref successful but push to stack failed */
}
static void list_store_loaders(void)
const SSL_CIPHER *cipher = NULL;
if (psksess != NULL) {
- SSL_SESSION_up_ref(psksess);
+ if (!SSL_SESSION_up_ref(psksess))
+ goto err;
usesess = psksess;
} else {
long key_len;
}
if (psksess != NULL) {
- SSL_SESSION_up_ref(psksess);
+ if (!SSL_SESSION_up_ref(psksess))
+ return 0;
+
*sess = psksess;
return 1;
}
STACK_OF(EVP_KEM) *kem_stack = stack;
if (is_kem_fetchable(kem)
- && sk_EVP_KEM_push(kem_stack, kem) > 0) {
- EVP_KEM_up_ref(kem);
- }
+ && EVP_KEM_up_ref(kem)
+ && sk_EVP_KEM_push(kem_stack, kem) <= 0)
+ EVP_KEM_free(kem); /* up-ref successful but push to stack failed */
}
static int kem_locate(const char *algo, unsigned int *idx)
STACK_OF(EVP_SIGNATURE) *sig_stack = stack;
if (is_signature_fetchable(sig)
- && sk_EVP_SIGNATURE_push(sig_stack, sig) > 0)
- EVP_SIGNATURE_up_ref(sig);
+ && EVP_SIGNATURE_up_ref(sig)
+ && sk_EVP_SIGNATURE_push(sig_stack, sig) <= 0)
+ EVP_SIGNATURE_free(sig); /* up-ref successful but push to stack failed */
}
static int sig_locate(const char *algo, unsigned int *idx)
if (!ossl_cms_set1_SignerIdentifier(ktri->rid, recip, idtype, ctx))
return 0;
- X509_up_ref(recip);
- EVP_PKEY_up_ref(pk);
+ if (!X509_up_ref(recip))
+ return 0;
+ if (!EVP_PKEY_up_ref(pk)) {
+ X509_free(recip);
+ return 0;
+ }
ktri->pkey = pk;
ktri->recip = recip;
return 0;
}
- EVP_PKEY_up_ref(recipPubKey);
+ if (!EVP_PKEY_up_ref(recipPubKey))
+ return 0;
+
rek->pkey = recipPubKey;
return 1;
}
/* Call for side-effect of computing hash and caching extensions */
X509_check_purpose(signer, -1, -1);
- X509_up_ref(signer);
- EVP_PKEY_up_ref(pk);
+ if (!X509_up_ref(signer))
+ goto err;
+ if (!EVP_PKEY_up_ref(pk)) {
+ X509_free(signer);
+ goto err;
+ }
si->cms_ctx = ctx;
si->pkey = pk;
void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer)
{
if (signer != NULL) {
- X509_up_ref(signer);
+ if (!X509_up_ref(signer))
+ return;
EVP_PKEY_free(si->pkey);
si->pkey = X509_get_pubkey(signer);
}
}
/* If we have a cert, try matching RecipientInfo, else try them all */
else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {
- EVP_PKEY_up_ref(pk);
+ if (!EVP_PKEY_up_ref(pk))
+ return 0;
CMS_RecipientInfo_set0_pkey(ri, pk);
r = CMS_RecipientInfo_decrypt(cms, ri);
CMS_RecipientInfo_set0_pkey(ri, NULL);
if (cipher == NULL)
return NULL;
- if (!CRYPTO_NEW_REF(&cipher->refcnt, 1)) {
+ if (!CRYPTO_NEW_REF(&cipher->refcnt, 1)
+ || !ossl_provider_up_ref(prov)) {
+ CRYPTO_FREE_REF(&cipher->refcnt);
OPENSSL_free(cipher);
return NULL;
}
cipher->prov = prov;
- ossl_provider_up_ref(prov);
return cipher;
}
} else {
evp_md_ctx_reset_ex(out, 1);
digest_change = (out->fetched_digest != in->fetched_digest);
+
+ if (digest_change && in->fetched_digest != NULL
+ && !EVP_MD_up_ref(in->fetched_digest))
+ return 0;
if (digest_change && out->fetched_digest != NULL)
EVP_MD_free(out->fetched_digest);
*out = *in;
out->pctx = NULL;
out->algctx = NULL;
- if (digest_change && in->fetched_digest != NULL)
- EVP_MD_up_ref(in->fetched_digest);
-
if (in->algctx != NULL) {
out->algctx = in->digest->dupctx(in->algctx);
if (out->algctx == NULL) {
if (!evp_names_do_all(prov, name_id, set_legacy_nid, &md->type)
|| md->type == -1) {
ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
- EVP_MD_free(md);
- return NULL;
+ goto err;
}
#endif
md->name_id = name_id;
- if ((md->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL) {
- EVP_MD_free(md);
- return NULL;
- }
+ if ((md->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL)
+ goto err;
+
md->description = algodef->algorithm_description;
for (; fns->function_id != 0; fns++) {
* The "digest" function can standalone. We at least need one way to
* generate digests.
*/
- EVP_MD_free(md);
ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
- return NULL;
+ goto err;
}
+ if (prov != NULL && !ossl_provider_up_ref(prov))
+ goto err;
+
md->prov = prov;
- if (prov != NULL)
- ossl_provider_up_ref(prov);
if (!evp_md_cache_constants(md)) {
- EVP_MD_free(md);
ERR_raise(ERR_LIB_EVP, EVP_R_CACHE_CONSTANTS_FAILED);
- md = NULL;
+ goto err;
}
return md;
+
+err:
+ EVP_MD_free(md);
+ return NULL;
}
static int evp_md_up_ref(void *md)
if (!evp_names_do_all(prov, name_id, set_legacy_nid, &cipher->nid)
|| cipher->nid == -1) {
ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
- EVP_CIPHER_free(cipher);
- return NULL;
+ goto err;
}
#endif
cipher->name_id = name_id;
- if ((cipher->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL) {
- EVP_CIPHER_free(cipher);
- return NULL;
- }
+ if ((cipher->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL)
+ goto err;
+
cipher->description = algodef->algorithm_description;
for (; fns->function_id != 0; fns++) {
* functions, or a single "cipher" function. In all cases we need both
* the "newctx" and "freectx" functions.
*/
- EVP_CIPHER_free(cipher);
ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
- return NULL;
+ goto err;
}
+ if (prov != NULL && !ossl_provider_up_ref(prov))
+ goto err;
+
cipher->prov = prov;
- if (prov != NULL)
- ossl_provider_up_ref(prov);
if (!evp_cipher_cache_constants(cipher)) {
- EVP_CIPHER_free(cipher);
ERR_raise(ERR_LIB_EVP, EVP_R_CACHE_CONSTANTS_FAILED);
- cipher = NULL;
+ goto err;
}
return cipher;
+
+err:
+ EVP_CIPHER_free(cipher);
+ return NULL;
}
static int evp_cipher_up_ref(void *cipher)
if (exchange == NULL)
return NULL;
- if (!CRYPTO_NEW_REF(&exchange->refcnt, 1)) {
+ if (!CRYPTO_NEW_REF(&exchange->refcnt, 1)
+ || !ossl_provider_up_ref(prov)) {
+ CRYPTO_FREE_REF(&exchange->refcnt);
OPENSSL_free(exchange);
return NULL;
}
exchange->prov = prov;
- ossl_provider_up_ref(prov);
return exchange;
}
return -1;
}
+ if (!EVP_PKEY_up_ref(peer))
+ return -1;
+
EVP_PKEY_free(ctx->peerkey);
ctx->peerkey = peer;
ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);
if (ret <= 0) {
+ EVP_PKEY_free(ctx->peerkey);
ctx->peerkey = NULL;
return ret;
}
- EVP_PKEY_up_ref(peer);
return 1;
#endif
}
return NULL;
}
kdf->name_id = name_id;
- if ((kdf->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL) {
- evp_kdf_free(kdf);
- return NULL;
- }
+ if ((kdf->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL)
+ goto err;
+
kdf->description = algodef->algorithm_description;
for (; fns->function_id != 0; fns++) {
* a derive function, and a complete set of context management
* functions.
*/
- evp_kdf_free(kdf);
ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
- return NULL;
+ goto err;
}
+ if (prov != NULL && !ossl_provider_up_ref(prov))
+ goto err;
+
kdf->prov = prov;
- if (prov != NULL)
- ossl_provider_up_ref(prov);
return kdf;
+
+err:
+ evp_kdf_free(kdf);
+ return NULL;
}
EVP_KDF *EVP_KDF_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
if (kem == NULL)
return NULL;
- if (!CRYPTO_NEW_REF(&kem->refcnt, 1)) {
+ if (!CRYPTO_NEW_REF(&kem->refcnt, 1)
+ || !ossl_provider_up_ref(prov)) {
+ CRYPTO_FREE_REF(&kem->refcnt);
OPENSSL_free(kem);
return NULL;
}
kem->prov = prov;
- ossl_provider_up_ref(prov);
return kem;
}
if ((mac = evp_mac_new()) == NULL) {
ERR_raise(ERR_LIB_EVP, ERR_R_EVP_LIB);
- return NULL;
+ goto err;
}
mac->name_id = name_id;
- if ((mac->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL) {
- evp_mac_free(mac);
- return NULL;
- }
+
+ if ((mac->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL)
+ goto err;
+
mac->description = algodef->algorithm_description;
for (; fns->function_id != 0; fns++) {
* a complete set of "mac" functions, and a complete set of context
* management functions, as well as the size function.
*/
- evp_mac_free(mac);
ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
- return NULL;
+ goto err;
}
+
+ if (prov != NULL && !ossl_provider_up_ref(prov))
+ goto err;
+
mac->prov = prov;
- if (prov != NULL)
- ossl_provider_up_ref(prov);
return mac;
+
+err:
+ evp_mac_free(mac);
+ return NULL;
}
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
{
- int ret = EVP_PKEY_assign_RSA(pkey, key);
+ int ret;
+
+ if (!RSA_up_ref(key))
+ return 0;
+
+ ret = EVP_PKEY_assign_RSA(pkey, key);
+
+ if (!ret)
+ RSA_free(key);
- if (ret)
- RSA_up_ref(key);
return ret;
}
{
RSA *ret = evp_pkey_get0_RSA_int(pkey);
- if (ret != NULL)
- RSA_up_ref(ret);
+ if (ret != NULL && !RSA_up_ref(ret))
+ ret = NULL;
+
return ret;
}
int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key)
{
- int ret = EVP_PKEY_assign_DSA(pkey, key);
- if (ret)
- DSA_up_ref(key);
+ int ret;
+
+ if (!DSA_up_ref(key))
+ return 0;
+
+ ret = EVP_PKEY_assign_DSA(pkey, key);
+
+ if (!ret)
+ DSA_free(key);
+
return ret;
}
DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
{
DSA *ret = evp_pkey_get0_DSA_int(pkey);
- if (ret != NULL)
- DSA_up_ref(ret);
+ if (ret != NULL && !DSA_up_ref(ret))
+ return NULL;
+
return ret;
}
# endif /* OPENSSL_NO_DSA */
else
type = DH_get0_q(dhkey) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX;
+ if (!DH_up_ref(dhkey))
+ return 0;
+
ret = EVP_PKEY_assign(pkey, type, dhkey);
- if (ret)
- DH_up_ref(dhkey);
+ if (!ret)
+ DH_free(dhkey);
+
return ret;
}
{
DH *ret = evp_pkey_get0_DH_int(pkey);
- if (ret != NULL)
- DH_up_ref(ret);
+ if (ret != NULL && !DH_up_ref(ret))
+ ret = NULL;
+
return ret;
}
# endif
ret->engine = e;
ret->pmeth = pmeth;
ret->operation = EVP_PKEY_OP_UNDEFINED;
+
+ if (pkey != NULL && !EVP_PKEY_up_ref(pkey)) {
+ EVP_PKEY_CTX_free(ret);
+ return NULL;
+ }
+
ret->pkey = pkey;
- if (pkey != NULL)
- EVP_PKEY_up_ref(pkey);
if (pmeth != NULL && pmeth->init != NULL) {
if (pmeth->init(ret) <= 0) {
if (rctx == NULL)
return NULL;
- if (pctx->pkey != NULL)
- EVP_PKEY_up_ref(pctx->pkey);
+ if (pctx->pkey != NULL && !EVP_PKEY_up_ref(pctx->pkey))
+ goto err;
+
rctx->pkey = pctx->pkey;
rctx->operation = pctx->operation;
rctx->libctx = pctx->libctx;
rctx->engine = pctx->engine;
# endif
- if (pctx->peerkey != NULL)
- EVP_PKEY_up_ref(pctx->peerkey);
+ if (pctx->peerkey != NULL && !EVP_PKEY_up_ref(pctx->peerkey))
+ goto err;
+
rctx->peerkey = pctx->peerkey;
if (pctx->pmeth == NULL) {
if (signature == NULL)
return NULL;
- if (!CRYPTO_NEW_REF(&signature->refcnt, 1)) {
+ if (!CRYPTO_NEW_REF(&signature->refcnt, 1)
+ || !ossl_provider_up_ref(prov)) {
+ CRYPTO_FREE_REF(&signature->refcnt);
OPENSSL_free(signature);
return NULL;
}
signature->prov = prov;
- ossl_provider_up_ref(prov);
return signature;
}
return 0;
}
- X509_CRL_up_ref(crl);
+ if (!X509_CRL_up_ref(crl))
+ return 0;
if (!sk_X509_CRL_push(*sk, crl)) {
X509_CRL_free(crl);
return 0;
return 0;
/* lets keep the pkey around for a while */
- EVP_PKEY_up_ref(pkey);
+ if (!EVP_PKEY_up_ref(pkey))
+ return 0;
+
p7i->pkey = pkey;
/* Set the algorithms */
goto err;
}
finished:
- X509_up_ref(x509);
+ if (!X509_up_ref(x509))
+ goto err;
+
p7i->cert = x509;
return 1;
EVP_PKEY *OSSL_STORE_INFO_get1_PARAMS(const OSSL_STORE_INFO *info)
{
if (info->type == OSSL_STORE_INFO_PARAMS) {
- EVP_PKEY_up_ref(info->_.params);
+ if (!EVP_PKEY_up_ref(info->_.params))
+ return NULL;
return info->_.params;
}
ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_PARAMETERS);
EVP_PKEY *OSSL_STORE_INFO_get1_PUBKEY(const OSSL_STORE_INFO *info)
{
if (info->type == OSSL_STORE_INFO_PUBKEY) {
- EVP_PKEY_up_ref(info->_.pubkey);
+ if (!EVP_PKEY_up_ref(info->_.pubkey))
+ return NULL;
return info->_.pubkey;
}
ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_PUBLIC_KEY);
EVP_PKEY *OSSL_STORE_INFO_get1_PKEY(const OSSL_STORE_INFO *info)
{
if (info->type == OSSL_STORE_INFO_PKEY) {
- EVP_PKEY_up_ref(info->_.pkey);
+ if (!EVP_PKEY_up_ref(info->_.pkey))
+ return NULL;
return info->_.pkey;
}
ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_PRIVATE_KEY);
X509 *OSSL_STORE_INFO_get1_CERT(const OSSL_STORE_INFO *info)
{
if (info->type == OSSL_STORE_INFO_CERT) {
- X509_up_ref(info->_.x509);
+ if (!X509_up_ref(info->_.x509))
+ return NULL;
return info->_.x509;
}
ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_CERTIFICATE);
X509_CRL *OSSL_STORE_INFO_get1_CRL(const OSSL_STORE_INFO *info)
{
if (info->type == OSSL_STORE_INFO_CRL) {
- X509_CRL_up_ref(info->_.crl);
+ if (!X509_CRL_up_ref(info->_.crl))
+ return NULL;
return info->_.crl;
}
ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NOT_A_CRL);
OSSL_STORE_LOADER *loader;
if ((loader = OPENSSL_zalloc(sizeof(*loader))) == NULL
- || !CRYPTO_NEW_REF(&loader->refcnt, 1)) {
+ || !CRYPTO_NEW_REF(&loader->refcnt, 1)
+ || !ossl_provider_up_ref(prov)) {
+ if (loader != NULL)
+ CRYPTO_FREE_REF(&loader->refcnt);
OPENSSL_free(loader);
return NULL;
}
+
loader->prov = prov;
- ossl_provider_up_ref(prov);
return loader;
}
ERR_raise(ERR_LIB_TS, TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
return 0;
}
+ if (!X509_up_ref(signer))
+ return 0;
+
X509_free(ctx->signer_cert);
ctx->signer_cert = signer;
- X509_up_ref(ctx->signer_cert);
+
return 1;
}
int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
{
+ if (!EVP_PKEY_up_ref(key))
+ return 0;
+
EVP_PKEY_free(ctx->signer_key);
ctx->signer_key = key;
- EVP_PKEY_up_ref(ctx->signer_key);
return 1;
}
}
if (signer_out) {
+ if (!X509_up_ref(signer))
+ goto err;
+
*signer_out = signer;
- X509_up_ref(signer);
}
ret = 1;
/* Access the cache which we now know exists */
cache = ossl_policy_cache_set(x);
- X509_up_ref(x);
+ if (!X509_up_ref(x))
+ goto bad_tree;
+
(++level)->cert = x;
if (!cache->anyPolicy)
if (ret != 0)
return ret > 0 ? 1 : 0;
}
+ if ((flags & X509_ADD_FLAG_UP_REF) != 0 && !X509_up_ref(cert))
+ return 0;
if (!sk_X509_insert(sk, cert,
(flags & X509_ADD_FLAG_PREPEND) != 0 ? 0 : -1)) {
+ if ((flags & X509_ADD_FLAG_UP_REF) != 0)
+ X509_free(cert);
ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
return 0;
}
- if ((flags & X509_ADD_FLAG_UP_REF) != 0)
- (void)X509_up_ref(cert);
return 1;
}
}
if (best_crl != NULL) {
+ if (!X509_CRL_up_ref(best_crl))
+ return 0;
X509_CRL_free(*pcrl);
*pcrl = best_crl;
*pissuer = best_crl_issuer;
*pscore = best_score;
*preasons = best_reasons;
- X509_CRL_up_ref(best_crl);
X509_CRL_free(*pdcrl);
*pdcrl = NULL;
get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
delta = sk_X509_CRL_value(crls, i);
if (check_delta_base(delta, base)) {
+ if (!X509_CRL_up_ref(delta)) {
+ *dcrl = NULL;
+ return;
+ }
+
+ *dcrl = delta;
+
if (check_crl_time(ctx, delta, 0))
*pscore |= CRL_SCORE_TIME_DELTA;
- X509_CRL_up_ref(delta);
- *dcrl = delta;
+
return;
}
}
if (DANETLS_USAGE_BIT(usage) & DANETLS_DANE_MASK)
matched = 1;
if (matched || dane->mdpth < 0) {
- dane->mdpth = depth;
- dane->mtlsa = t;
+ if (!X509_up_ref(cert)) {
+ matched = -1;
+ break;
+ }
+
OPENSSL_free(dane->mcert);
dane->mcert = cert;
- X509_up_ref(cert);
+ dane->mdpth = depth;
+ dane->mtlsa = t;
}
break;
}
if ((foo = OPENSSL_zalloc(sizeof(*foo))) == NULL)
return NULL;
- if (!CRYPTO_NEW_REF(&foo->refcnt, 1)) {
- OPENSSL_free(foo);
- return NULL;
- }
+ if (!CRYPTO_NEW_REF(&foo->refcnt, 1))
+ goto err;
foo->name_id = name_id;
break;
}
}
+ if (prov != NULL && !ossl_provider_up_ref(prov))
+ goto err;
+
foo->prov = prov;
- if (prov)
- ossl_provider_up_ref(prov);
return foo;
+
+ err:
+ if (foo != NULL)
+ CRYPTO_FREE_REF(&foo->refcnt);
+ OPENSSL_free(foo);
+ return NULL
}
EVP_FOO_meth_free(EVP_FOO *foo)
PROV_AES_SIV_CTX *in = (PROV_AES_SIV_CTX *)in_vctx;
PROV_AES_SIV_CTX *out = (PROV_AES_SIV_CTX *)out_vctx;
+ if (in->cbc != NULL && !EVP_CIPHER_up_ref(in->cbc))
+ return 0;
+ if (in->ctr != NULL && !EVP_CIPHER_up_ref(in->ctr)) {
+ EVP_CIPHER_free(in->cbc);
+ return 0;
+ }
+
*out = *in;
out->siv.cipher_ctx = NULL;
out->siv.mac_ctx_init = NULL;
out->siv.mac = NULL;
if (!ossl_siv128_copy_ctx(&out->siv, &in->siv))
return 0;
- if (out->cbc != NULL)
- EVP_CIPHER_up_ref(out->cbc);
- if (out->ctr != NULL)
- EVP_CIPHER_up_ref(out->ctr);
+
return 1;
}
bs->ssl = ssl;
bio = SSL_get_rbio(ssl);
if (bio != NULL) {
+ if (!BIO_up_ref(bio)) {
+ ret = 0;
+ break;
+ }
if (next != NULL)
BIO_push(bio, next);
BIO_set_next(b, bio);
- BIO_up_ref(bio);
}
BIO_set_init(b, 1);
break;
* We are going to pass ownership of next to the SSL object...but
* we don't own a reference to pass yet - so up ref
*/
- BIO_up_ref(next);
- SSL_set_bio(ssl, next, next);
+ if (!BIO_up_ref(next))
+ ret = 0;
+ else
+ SSL_set_bio(ssl, next, next);
}
break;
case BIO_CTRL_POP:
if (sc->session == NULL || sc->s3.peer_tmp == NULL) {
return 0;
} else {
- EVP_PKEY_up_ref(sc->s3.peer_tmp);
+ if (!EVP_PKEY_up_ref(sc->s3.peer_tmp))
+ return 0;
+
*(EVP_PKEY **)parg = sc->s3.peer_tmp;
return 1;
}
if (sc->session == NULL || sc->s3.tmp.pkey == NULL) {
return 0;
} else {
- EVP_PKEY_up_ref(sc->s3.tmp.pkey);
+ if (!EVP_PKEY_up_ref(sc->s3.tmp.pkey))
+ return 0;
+
*(EVP_PKEY **)parg = sc->s3.tmp.pkey;
return 1;
}
}
if (cert->dh_tmp != NULL) {
+ if (!EVP_PKEY_up_ref(cert->dh_tmp))
+ goto err;
ret->dh_tmp = cert->dh_tmp;
- EVP_PKEY_up_ref(ret->dh_tmp);
}
ret->dh_tmp_cb = cert->dh_tmp_cb;
CERT_PKEY *rpk = ret->pkeys + i;
if (cpk->x509 != NULL) {
+ if (!X509_up_ref(cpk->x509))
+ goto err;
rpk->x509 = cpk->x509;
- X509_up_ref(rpk->x509);
}
if (cpk->privatekey != NULL) {
+ if (!EVP_PKEY_up_ref(cpk->privatekey))
+ goto err;
rpk->privatekey = cpk->privatekey;
- EVP_PKEY_up_ref(cpk->privatekey);
}
if (cpk->chain) {
ret->cert_cb_arg = cert->cert_cb_arg;
if (cert->verify_store) {
- X509_STORE_up_ref(cert->verify_store);
+ if (!X509_STORE_up_ref(cert->verify_store))
+ goto err;
ret->verify_store = cert->verify_store;
}
if (cert->chain_store) {
- X509_STORE_up_ref(cert->chain_store);
+ if (!X509_STORE_up_ref(cert->chain_store))
+ goto err;
ret->chain_store = cert->chain_store;
}
int ssl_cert_add1_chain_cert(SSL_CONNECTION *s, SSL_CTX *ctx, X509 *x)
{
- if (!ssl_cert_add0_chain_cert(s, ctx, x))
+ if (!X509_up_ref(x))
+ return 0;
+ if (!ssl_cert_add0_chain_cert(s, ctx, x)) {
+ X509_free(x);
return 0;
- X509_up_ref(x);
+ }
return 1;
}
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
{
X509_STORE **pstore;
+
+ if (ref && store && !X509_STORE_up_ref(store))
+ return 0;
+
if (chain)
pstore = &c->chain_store;
else
pstore = &c->verify_store;
X509_STORE_free(*pstore);
*pstore = store;
- if (ref && store)
- X509_STORE_up_ref(store);
+
return 1;
}
int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type)
{
- ssl->type = type;
+ if (!SSL_CTX_up_ref(ctx))
+ return 0;
ssl->lock = CRYPTO_THREAD_lock_new();
- if (ssl->lock == NULL)
- return 0;
- if (!CRYPTO_NEW_REF(&ssl->references, 1)) {
- CRYPTO_THREAD_lock_free(ssl->lock);
- return 0;
- }
+ if (ssl->lock == NULL || !CRYPTO_NEW_REF(&ssl->references, 1))
+ goto err;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, ssl, &ssl->ex_data)) {
- CRYPTO_THREAD_lock_free(ssl->lock);
CRYPTO_FREE_REF(&ssl->references);
- ssl->lock = NULL;
- return 0;
+ goto err;
}
- SSL_CTX_up_ref(ctx);
ssl->ctx = ctx;
-
+ ssl->type = type;
ssl->defltmeth = ssl->method = method;
return 1;
+
+err:
+ CRYPTO_THREAD_lock_free(ssl->lock);
+ ssl->lock = NULL;
+ SSL_CTX_free(ctx);
+ return 0;
}
SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, SSL *user_ssl,
s->ext.ocsp.exts = NULL;
s->ext.ocsp.resp = NULL;
s->ext.ocsp.resp_len = 0;
- SSL_CTX_up_ref(ctx);
+
+ if (!SSL_CTX_up_ref(ctx))
+ goto err;
+
s->session_ctx = ctx;
if (ctx->ext.ecpointformats) {
s->ext.ecpointformats =
{
X509 *r = SSL_get0_peer_certificate(s);
- if (r != NULL)
- X509_up_ref(r);
+ if (r != NULL && !X509_up_ref(r))
+ return NULL;
return r;
}
* TLSv1.3 without early data because some applications just want to
* know about the creation of a session and aren't doing a full cache.
*/
- if (s->session_ctx->new_session_cb != NULL) {
- SSL_SESSION_up_ref(s->session);
+ if (s->session_ctx->new_session_cb != NULL && SSL_SESSION_up_ref(s->session)) {
if (!s->session_ctx->new_session_cb(SSL_CONNECTION_GET_USER_SSL(s),
s->session))
SSL_SESSION_free(s->session);
if (ctx == NULL)
ctx = sc->session_ctx;
new_cert = ssl_cert_dup(ctx->cert);
- if (new_cert == NULL) {
- return NULL;
- }
-
- if (!custom_exts_copy_flags(&new_cert->custext, &sc->cert->custext)) {
- ssl_cert_free(new_cert);
- return NULL;
- }
-
- ssl_cert_free(sc->cert);
- sc->cert = new_cert;
+ if (new_cert == NULL)
+ goto err;
+ if (!custom_exts_copy_flags(&new_cert->custext, &sc->cert->custext))
+ goto err;
/*
* Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
* so setter APIs must prevent invalid lengths from entering the system.
*/
if (!ossl_assert(sc->sid_ctx_length <= sizeof(sc->sid_ctx)))
- return NULL;
+ goto err;
+ if (!SSL_CTX_up_ref(ctx))
+ goto err;
/*
* If the session ID context matches that of the parent SSL_CTX,
memcpy(&sc->sid_ctx, &ctx->sid_ctx, sizeof(sc->sid_ctx));
}
- SSL_CTX_up_ref(ctx);
+ ssl_cert_free(sc->cert);
+ sc->cert = new_cert;
SSL_CTX_free(ssl->ctx); /* decrement reference count */
ssl->ctx = ctx;
return ssl->ctx;
+
+err:
+ ssl_cert_free(new_cert);
+ return NULL;
}
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
{
- if (store != NULL)
- X509_STORE_up_ref(store);
+ if (store != NULL && !X509_STORE_up_ref(store))
+ return;
+
SSL_CTX_set_cert_store(ctx, store);
}
if (c->pkeys[i].x509 != NULL
&& !X509_check_private_key(c->pkeys[i].x509, pkey))
return 0;
+ if (!EVP_PKEY_up_ref(pkey))
+ return 0;
EVP_PKEY_free(c->pkeys[i].privatekey);
- EVP_PKEY_up_ref(pkey);
c->pkeys[i].privatekey = pkey;
c->key = &c->pkeys[i];
return 1;
}
}
+ if (!X509_up_ref(x))
+ return 0;
+
X509_free(c->pkeys[i].x509);
- X509_up_ref(x);
c->pkeys[i].x509 = x;
c->key = &(c->pkeys[i]);
if (chain != NULL) {
dup_chain = X509_chain_up_ref(chain);
- if (dup_chain == NULL) {
+ if (dup_chain == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
goto out;
}
}
+ if (!X509_up_ref(x509))
+ goto out;
+
+ if (!EVP_PKEY_up_ref(privatekey)) {
+ X509_free(x509);
+ goto out;
+ }
+
OSSL_STACK_OF_X509_free(c->pkeys[i].chain);
c->pkeys[i].chain = dup_chain;
X509_free(c->pkeys[i].x509);
- X509_up_ref(x509);
c->pkeys[i].x509 = x509;
EVP_PKEY_free(c->pkeys[i].privatekey);
- EVP_PKEY_up_ref(privatekey);
c->pkeys[i].privatekey = privatekey;
c->key = &(c->pkeys[i]);
return 0;
}
- RSA_up_ref(rsa);
+ if (!RSA_up_ref(rsa)) {
+ EVP_PKEY_free(pkey);
+ return 0;
+ }
+
if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
RSA_free(rsa);
EVP_PKEY_free(pkey);
return 0;
}
- RSA_up_ref(rsa);
+ if (!RSA_up_ref(rsa)) {
+ EVP_PKEY_free(pkey);
+ return 0;
+ }
+
if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
RSA_free(rsa);
EVP_PKEY_free(pkey);
if (!CRYPTO_THREAD_read_lock(ssl->lock))
return NULL;
sess = SSL_get_session(ssl);
- if (sess != NULL)
- SSL_SESSION_up_ref(sess);
+ if (sess != NULL && !SSL_SESSION_up_ref(sess))
+ sess = NULL;
CRYPTO_THREAD_unlock(ssl->lock);
return sess;
}
ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
if (ret != NULL) {
/* don't allow other threads to steal it: */
- SSL_SESSION_up_ref(ret);
+ if (!SSL_SESSION_up_ref(ret)) {
+ CRYPTO_THREAD_unlock(s->session_ctx->lock);
+ return NULL;
+ }
}
CRYPTO_THREAD_unlock(s->session_ctx->lock);
if (ret == NULL)
* reference count itself [i.e. copy == 0], or things won't be
* thread-safe).
*/
- if (copy)
- SSL_SESSION_up_ref(ret);
+ if (copy && !SSL_SESSION_up_ref(ret))
+ return NULL;
/*
* Add the externally cached session to the internal cache as
* it has two ways of access: each session is in a doubly linked list and
* an lhash
*/
- SSL_SESSION_up_ref(c);
+ if (!SSL_SESSION_up_ref(c))
+ return 0;
/*
* if session c is in already in cache, we take back the increment later
*/
if (sc == NULL)
return 0;
+ if (session != NULL && !SSL_SESSION_up_ref(session))
+ return 0;
+
ssl_clear_bad_session(sc);
if (s->defltmeth != s->method) {
- if (!SSL_set_ssl_method(s, s->defltmeth))
+ if (!SSL_set_ssl_method(s, s->defltmeth)) {
+ SSL_SESSION_free(session);
return 0;
+ }
}
- if (session != NULL) {
- SSL_SESSION_up_ref(session);
+ if (session != NULL)
sc->verify_result = session->verify_result;
- }
+
SSL_SESSION_free(sc->session);
sc->session = session;
}
}
+ if (!X509_up_ref(x)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return WORK_ERROR;
+ }
+
X509_free(s->session->peer);
- X509_up_ref(x);
s->session->peer = x;
s->session->verify_result = s->verify_result;
/* Ensure there is no RPK */
if (chain != NULL) {
size_t i;
+ if (!BIO_up_ref(bio_out)) /* Protection against freeing */
+ goto err;
+
next = bio_out;
- BIO_up_ref(next); /* Protection against freeing */
for (i = 0; n > 0; i++, n--) {
BIO *curr = BIO_new(BIO_f_prefix());
if (pubkey) {
EVP_PKEY *key = raverified /* wrong key */ ? server_key : client_key;
- EVP_PKEY_up_ref(key);
+ if (!EVP_PKEY_up_ref(key))
+ return 0;
+
OSSL_CMP_CTX_set0_newPkey(fixture->cmp_ctx, 0 /* not priv */, key);
OSSL_CMP_SRV_CTX_set_accept_raverified(fixture->srv_ctx, 1);
}
if (!TEST_ptr(fixture->msg =
OSSL_CMP_MSG_dup(ir_unprotected))
|| !TEST_true(SET_OPT_UNPROTECTED_SEND(ctx, 0))
+ || !TEST_true(EVP_PKEY_up_ref(server_key))
|| !TEST_true(OSSL_CMP_CTX_set0_newPkey(ctx, 1, server_key))) {
tear_down(fixture);
fixture = NULL;
}
- EVP_PKEY_up_ref(server_key);
EXECUTE_TEST(execute_MSG_protect_test, tear_down);
return result;
}
goto err;
/* Create a stack; upref the cert because we free it below. */
- X509_up_ref(root);
- if (!TEST_true(sk_X509_push(roots, root))
- || !TEST_true(X509_STORE_CTX_init(ctx, store, leaf, NULL)))
+ if (!TEST_true(X509_up_ref(root)))
+ goto err;
+ if (!TEST_true(sk_X509_push(roots, root))) {
+ X509_free(root);
+ goto err;
+ }
+ if (!TEST_true(X509_STORE_CTX_init(ctx, store, leaf, NULL)))
goto err;
X509_STORE_CTX_set0_trusted_stack(ctx, roots);
X509_STORE_CTX_set0_crls(ctx, crls);
{
STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null();
- sk_X509_CRL_push(sk, x1);
- X509_CRL_up_ref(x1);
+ if (x1 != NULL) {
+ if (!X509_CRL_up_ref(x1))
+ goto err;
+ if (!sk_X509_CRL_push(sk, x1)) {
+ X509_CRL_free(x1);
+ goto err;
+ }
+ }
+
if (x2 != NULL) {
- sk_X509_CRL_push(sk, x2);
- X509_CRL_up_ref(x2);
+ if (!X509_CRL_up_ref(x2))
+ goto err;
+ if (!sk_X509_CRL_push(sk, x2)) {
+ X509_CRL_free(x2);
+ goto err;
+ }
}
+
return sk;
+
+err:
+ sk_X509_CRL_pop_free(sk, X509_CRL_free);
+ return NULL;
}
static int test_basic_crl(void)
#ifndef OPENSSL_NO_DEPRECATED_3_0
ctx2 = EVP_PKEY_CTX_new_id(0xdefaced, NULL);
/* assign the pkey directly, as an internal test */
- EVP_PKEY_up_ref(pkey);
+ if (!EVP_PKEY_up_ref(pkey))
+ goto done;
+
ctx2->pkey = pkey;
if (!TEST_int_eq(EVP_PKEY_check(ctx2), 0xbeef))
BIO_set_mem_eof_return(c_to_s_bio, -1);
/* Up ref these as we are passing them to two SSL objects */
+ if (!BIO_up_ref(s_to_c_bio))
+ goto error;
+ if (!BIO_up_ref(c_to_s_bio)) {
+ BIO_free(s_to_c_bio);
+ goto error;
+ }
+
SSL_set_bio(serverssl, c_to_s_bio, s_to_c_bio);
- BIO_up_ref(s_to_c_bio);
- BIO_up_ref(c_to_s_bio);
SSL_set_bio(clientssl, s_to_c_bio, c_to_s_bio);
*sssl = serverssl;
*cssl = clientssl;
{
use_session_cb_cnt++;
- if (clientpsk == NULL)
+ if (clientpsk == NULL || !SSL_SESSION_up_ref(clientpsk))
return 0;
- SSL_SESSION_up_ref(clientpsk);
-
*sess = clientpsk;
*id = (const unsigned char *)pskid;
*idlen = strlen(pskid);
{
find_session_cb_cnt++;
- if (serverpsk == NULL)
+ if (serverpsk == NULL || !SSL_SESSION_up_ref(serverpsk))
return 0;
/* Identity should match that set by the client */
if (strlen(pskid) != identity_len
- || strncmp(pskid, (const char *)identity, identity_len) != 0)
+ || strncmp(pskid, (const char *)identity, identity_len) != 0) {
+ SSL_SESSION_free(serverpsk);
return 0;
+ }
- SSL_SESSION_up_ref(serverpsk);
*sess = serverpsk;
return 1;
find_session_cb_cnt = 0;
clientpsk = serverpsk = create_a_psk(clientquic, SHA384_DIGEST_LENGTH);
- if (!TEST_ptr(clientpsk))
- goto end;
/* We already had one ref. Add another one */
- SSL_SESSION_up_ref(clientpsk);
+ if (!TEST_ptr(clientpsk) || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
+ goto end;
if (!TEST_true(qtest_create_quic_connection(qtserv, clientquic))
|| !TEST_int_eq(1, find_session_cb_cnt)
NULL, NULL)))
goto end;
clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
- if (!TEST_ptr(clientpsk))
+ if (!TEST_ptr(clientpsk) || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
goto end;
- SSL_SESSION_up_ref(clientpsk);
if (!TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE))
* each BIO that will have ownership transferred in the SSL_set_bio()
* call
*/
- if (irbio != NULL)
- BIO_up_ref(irbio);
- if (iwbio != NULL && iwbio != irbio)
- BIO_up_ref(iwbio);
+ if (irbio != NULL && !BIO_up_ref(irbio))
+ goto end;
+ if (iwbio != NULL && iwbio != irbio && !BIO_up_ref(iwbio)) {
+ BIO_free(irbio);
+ goto end;
+ }
}
if (conntype != CONNTYPE_NO_CONNECTION
if (nrbio != NULL
&& nrbio != irbio
&& (nwbio != iwbio || nrbio != nwbio))
- BIO_up_ref(nrbio);
+ if (!TEST_true(BIO_up_ref(nrbio)))
+ goto end;
if (nwbio != NULL
&& nwbio != nrbio
&& (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
- BIO_up_ref(nwbio);
+ if (!TEST_true(BIO_up_ref(nwbio))) {
+ if (nrbio != irbio
+ && (nwbio != iwbio || nrbio != nwbio))
+ BIO_free(nrbio);
+ goto end;
+ }
SSL_set_bio(clientssl, nrbio, nwbio);
return 0;
}
- if (clientpsk != NULL)
- SSL_SESSION_up_ref(clientpsk);
+ if (clientpsk != NULL && !SSL_SESSION_up_ref(clientpsk))
+ return 0;
*sess = clientpsk;
*id = (const unsigned char *)pskid;
return 1;
}
- SSL_SESSION_up_ref(serverpsk);
+ if (!SSL_SESSION_up_ref(serverpsk))
+ return 0;
+
*sess = serverpsk;
return 1;
projects / thirdparty / openssl.git / commitdiff
