From: Eugene Syromiatnikov Date: Thu, 17 Jul 2025 08:40:15 +0000 (+0200) Subject: ssl: use array memory (re)allocation routines X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=351caebeac7a71896012222d10b9364e4a8c3e94;p=thirdparty%2Fopenssl.git ssl: use array memory (re)allocation routines Signed-off-by: Eugene Syromiatnikov Reviewed-by: Saša Nedvědický Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/28059) --- diff --git a/ssl/priority_queue.c b/ssl/priority_queue.c index ed1d191f2e..51748f49d6 100644 --- a/ssl/priority_queue.c +++ b/ssl/priority_queue.c @@ -310,12 +310,12 @@ int ossl_pqueue_reserve(OSSL_PQUEUE *pq, size_t n) return 0; } - h = OPENSSL_realloc(pq->heap, new_max * sizeof(*pq->heap)); + h = OPENSSL_realloc_array(pq->heap, new_max, sizeof(*pq->heap)); if (h == NULL) return 0; pq->heap = h; - e = OPENSSL_realloc(pq->elements, new_max * sizeof(*pq->elements)); + e = OPENSSL_realloc_array(pq->elements, new_max, sizeof(*pq->elements)); if (e == NULL) return 0; pq->elements = e; @@ -339,8 +339,8 @@ OSSL_PQUEUE *ossl_pqueue_new(int (*compare)(const void *, const void *)) pq->hmax = min_nodes; pq->htop = 0; pq->freelist = 0; - pq->heap = OPENSSL_malloc(sizeof(*pq->heap) * min_nodes); - pq->elements = OPENSSL_malloc(sizeof(*pq->elements) * min_nodes); + pq->heap = OPENSSL_malloc_array(min_nodes, sizeof(*pq->heap)); + pq->elements = OPENSSL_malloc_array(min_nodes, sizeof(*pq->elements)); if (pq->heap == NULL || pq->elements == NULL) { ossl_pqueue_free(pq); return NULL; diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 3b6c160cb6..5c10abfc09 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -812,7 +812,7 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl) } if (mac_size > 0) { - macbufs = OPENSSL_zalloc(sizeof(*macbufs) * num_recs); + macbufs = OPENSSL_calloc(num_recs, sizeof(*macbufs)); if (macbufs == NULL) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); return OSSL_RECORD_RETURN_FATAL; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index a3e2eae252..ae65d43196 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -74,7 +74,7 @@ CERT *ssl_cert_new(size_t ssl_pkey_num) return NULL; ret->ssl_pkey_num = ssl_pkey_num; - ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY)); + ret->pkeys = OPENSSL_calloc(ret->ssl_pkey_num, sizeof(CERT_PKEY)); if (ret->pkeys == NULL) { OPENSSL_free(ret); return NULL; @@ -105,7 +105,7 @@ CERT *ssl_cert_dup(CERT *cert) return NULL; ret->ssl_pkey_num = cert->ssl_pkey_num; - ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY)); + ret->pkeys = OPENSSL_calloc(ret->ssl_pkey_num, sizeof(CERT_PKEY)); if (ret->pkeys == NULL) { OPENSSL_free(ret); return NULL; @@ -170,8 +170,8 @@ CERT *ssl_cert_dup(CERT *cert) /* Configured sigalgs copied across */ if (cert->conf_sigalgs) { - ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen - * sizeof(*cert->conf_sigalgs)); + ret->conf_sigalgs = OPENSSL_malloc_array(cert->conf_sigalgslen, + sizeof(*cert->conf_sigalgs)); if (ret->conf_sigalgs == NULL) goto err; memcpy(ret->conf_sigalgs, cert->conf_sigalgs, @@ -181,8 +181,9 @@ CERT *ssl_cert_dup(CERT *cert) ret->conf_sigalgs = NULL; if (cert->client_sigalgs) { - ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen - * sizeof(*cert->client_sigalgs)); + ret->client_sigalgs = + OPENSSL_malloc_array(cert->client_sigalgslen, + sizeof(*cert->client_sigalgs)); if (ret->client_sigalgs == NULL) goto err; memcpy(ret->client_sigalgs, cert->client_sigalgs, diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index ca57cf67af..2c35f31065 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -948,7 +948,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, curr = curr->next; } - number_uses = OPENSSL_zalloc(sizeof(int) * (max_strength_bits + 1)); + number_uses = OPENSSL_calloc(max_strength_bits + 1, sizeof(int)); if (number_uses == NULL) return 0; @@ -1475,7 +1475,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, num_of_ciphers = ssl_method->num_ciphers(); if (num_of_ciphers > 0) { - co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + co_list = OPENSSL_malloc_array(num_of_ciphers, sizeof(*co_list)); if (co_list == NULL) return NULL; /* Failure */ } @@ -1586,7 +1586,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, */ num_of_group_aliases = OSSL_NELEM(cipher_aliases); num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; - ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); + ca_list = OPENSSL_malloc_array(num_of_alias_max, sizeof(*ca_list)); if (ca_list == NULL) { OPENSSL_free(co_list); return NULL; /* Failure */ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 31fb6d9dff..ce95a748c7 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -124,8 +124,8 @@ static int dane_ctx_enable(struct dane_ctx_st *dctx) if (dctx->mdevp != NULL) return 1; - mdevp = OPENSSL_zalloc(n * sizeof(*mdevp)); - mdord = OPENSSL_zalloc(n * sizeof(*mdord)); + mdevp = OPENSSL_calloc(n, sizeof(*mdevp)); + mdord = OPENSSL_calloc(n, sizeof(*mdord)); if (mdord == NULL || mdevp == NULL) { OPENSSL_free(mdord); @@ -232,12 +232,12 @@ static int dane_mtype_set(struct dane_ctx_st *dctx, uint8_t *mdord; int n = ((int)mtype) + 1; - mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp)); + mdevp = OPENSSL_realloc_array(dctx->mdevp, n, sizeof(*mdevp)); if (mdevp == NULL) return -1; dctx->mdevp = mdevp; - mdord = OPENSSL_realloc(dctx->mdord, n * sizeof(*mdord)); + mdord = OPENSSL_realloc_array(dctx->mdord, n, sizeof(*mdord)); if (mdord == NULL) return -1; dctx->mdord = mdord; @@ -6899,7 +6899,7 @@ int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen) *outlen = 0; return 1; } - if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) + if ((present = OPENSSL_malloc_array(num, sizeof(*present))) == NULL) return 0; for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) { ext = sc->clienthello->pre_proc_exts + i; @@ -7145,7 +7145,7 @@ int ssl_cache_cipherlist(SSL_CONNECTION *s, PACKET *cipher_suites, int sslv2form * slightly over allocate because we won't store those. But that isn't a * problem. */ - raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN); + raw = OPENSSL_malloc_array(numciphers, TLS_CIPHER_LEN); s->s3.tmp.ciphers_raw = raw; if (raw == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index d786670855..b3158dfd77 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -627,7 +627,7 @@ int tls_collect_extensions(SSL_CONNECTION *s, PACKET *packet, custom_ext_init(&s->cert->custext); num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0); - raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions)); + raw_extensions = OPENSSL_calloc(num_exts, sizeof(*raw_extensions)); if (raw_extensions == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); return 0; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 00c216600f..02955752a7 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -664,12 +664,14 @@ static KS_EXTRACTION_RESULT extract_keyshares(SSL_CONNECTION *s, PACKET *key_sha unsigned int group_id = 0; /* Prepare memory to hold the extracted key share groups and related pubkeys */ - *keyshares_arr = OPENSSL_malloc(*keyshares_max * sizeof(**keyshares_arr)); + *keyshares_arr = OPENSSL_malloc_array(*keyshares_max, + sizeof(**keyshares_arr)); if (*keyshares_arr == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto failure; } - *encoded_pubkey_arr = OPENSSL_malloc(*keyshares_max * sizeof(**encoded_pubkey_arr)); + *encoded_pubkey_arr = OPENSSL_malloc_array(*keyshares_max, + sizeof(**encoded_pubkey_arr)); if (*encoded_pubkey_arr == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto failure; @@ -750,16 +752,17 @@ static KS_EXTRACTION_RESULT extract_keyshares(SSL_CONNECTION *s, PACKET *key_sha if (*keyshares_cnt == *keyshares_max) { PACKET *tmp_pkt; uint16_t *tmp = - OPENSSL_realloc(*keyshares_arr, - (*keyshares_max + GROUPLIST_INCREMENT) * sizeof(**keyshares_arr)); + OPENSSL_realloc_array(*keyshares_arr, + *keyshares_max + GROUPLIST_INCREMENT, + sizeof(**keyshares_arr)); if (tmp == NULL) goto failure; *keyshares_arr = tmp; tmp_pkt = - OPENSSL_realloc(*encoded_pubkey_arr, - (*keyshares_max + GROUPLIST_INCREMENT) * - sizeof(**encoded_pubkey_arr)); + OPENSSL_realloc_array(*encoded_pubkey_arr, + *keyshares_max + GROUPLIST_INCREMENT, + sizeof(**encoded_pubkey_arr)); if (tmp_pkt == NULL) goto failure; *encoded_pubkey_arr = tmp_pkt; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 4278c4aec1..a968becdfc 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2601,7 +2601,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, if (s->s3.tmp.valid_flags != NULL) memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); else - s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); + s->s3.tmp.valid_flags = OPENSSL_calloc(s->ssl_pkey_num, sizeof(uint32_t)); /* Give up for good if allocation didn't work */ if (s->s3.tmp.valid_flags == NULL) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 0e245b1c27..aa41a341ac 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -239,13 +239,13 @@ static int add_provider_groups(const OSSL_PARAM params[], void *data) TLS_GROUP_INFO *tmp = NULL; if (ctx->group_list_max_len == 0) - tmp = OPENSSL_malloc(sizeof(TLS_GROUP_INFO) - * TLS_GROUP_LIST_MALLOC_BLOCK_SIZE); + tmp = OPENSSL_malloc_array(TLS_GROUP_LIST_MALLOC_BLOCK_SIZE, + sizeof(TLS_GROUP_INFO)); else - tmp = OPENSSL_realloc(ctx->group_list, - (ctx->group_list_max_len - + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE) - * sizeof(TLS_GROUP_INFO)); + tmp = OPENSSL_realloc_array(ctx->group_list, + ctx->group_list_max_len + + TLS_GROUP_LIST_MALLOC_BLOCK_SIZE, + sizeof(TLS_GROUP_INFO)); if (tmp == NULL) return 0; ctx->group_list = tmp; @@ -389,13 +389,13 @@ static int add_provider_sigalgs(const OSSL_PARAM params[], void *data) TLS_SIGALG_INFO *tmp = NULL; if (ctx->sigalg_list_max_len == 0) - tmp = OPENSSL_malloc(sizeof(TLS_SIGALG_INFO) - * TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE); + tmp = OPENSSL_malloc_array(TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE, + sizeof(TLS_SIGALG_INFO)); else - tmp = OPENSSL_realloc(ctx->sigalg_list, - (ctx->sigalg_list_max_len - + TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE) - * sizeof(TLS_SIGALG_INFO)); + tmp = OPENSSL_realloc_array(ctx->sigalg_list, + ctx->sigalg_list_max_len + + TLS_SIGALG_LIST_MALLOC_BLOCK_SIZE, + sizeof(TLS_SIGALG_INFO)); if (tmp == NULL) return 0; ctx->sigalg_list = tmp; @@ -688,7 +688,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx) /* now populate ctx->ssl_cert_info */ if (ctx->sigalg_list_len > 0) { OPENSSL_free(ctx->ssl_cert_info); - ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len); + ctx->ssl_cert_info = OPENSSL_calloc(ctx->sigalg_list_len, sizeof(lu)); if (ctx->ssl_cert_info == NULL) return 0; for(i = 0; i < ctx->sigalg_list_len; i++) { @@ -1099,11 +1099,11 @@ int tls1_set_groups(uint16_t **grpext, size_t *grpextlen, ERR_raise(ERR_LIB_SSL, SSL_R_BAD_LENGTH); return 0; } - if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) + if ((glist = OPENSSL_malloc_array(ngroups, sizeof(*glist))) == NULL) goto err; - if ((kslist = OPENSSL_malloc(1 * sizeof(*kslist))) == NULL) + if ((kslist = OPENSSL_malloc_array(1, sizeof(*kslist))) == NULL) goto err; - if ((tpllist = OPENSSL_malloc(1 * sizeof(*tpllist))) == NULL) + if ((tpllist = OPENSSL_malloc_array(1, sizeof(*tpllist))) == NULL) goto err; for (i = 0; i < ngroups; i++) { unsigned long idmask; @@ -1386,8 +1386,9 @@ static int gid_cb(const char *elem, int len, void *arg) /* Memory management in case more groups are present compared to initial allocation */ if (garg->gidcnt == garg->gidmax) { uint16_t *tmp = - OPENSSL_realloc(garg->gid_arr, - (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr)); + OPENSSL_realloc_array(garg->gid_arr, + garg->gidmax + GROUPLIST_INCREMENT, + sizeof(*garg->gid_arr)); if (tmp == NULL) return 0; @@ -1398,8 +1399,9 @@ static int gid_cb(const char *elem, int len, void *arg) /* Memory management for key share groups */ if (garg->ksidcnt == garg->ksidmax) { uint16_t *tmp = - OPENSSL_realloc(garg->ksid_arr, - (garg->ksidmax + GROUPLIST_INCREMENT) * sizeof(*garg->ksid_arr)); + OPENSSL_realloc_array(garg->ksid_arr, + garg->ksidmax + GROUPLIST_INCREMENT, + sizeof(*garg->ksid_arr)); if (tmp == NULL) return 0; @@ -1543,8 +1545,9 @@ static int tuple_cb(const char *tuple, int len, void *arg) /* Memory management for tuples */ if (garg->tplcnt == garg->tplmax) { size_t *tmp = - OPENSSL_realloc(garg->tuplcnt_arr, - (garg->tplmax + GROUPLIST_INCREMENT) * sizeof(*garg->tuplcnt_arr)); + OPENSSL_realloc_array(garg->tuplcnt_arr, + garg->tplmax + GROUPLIST_INCREMENT, + sizeof(*garg->tuplcnt_arr)); if (tmp == NULL) return 0; @@ -1612,14 +1615,14 @@ int tls1_set_groups_list(SSL_CTX *ctx, gcb.ctx = ctx; /* Prepare initial chunks of memory for groups, tuples and keyshares groupIDs */ - gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); + gcb.gid_arr = OPENSSL_malloc_array(gcb.gidmax, sizeof(*gcb.gid_arr)); if (gcb.gid_arr == NULL) goto end; - gcb.tuplcnt_arr = OPENSSL_malloc(gcb.tplmax * sizeof(*gcb.tuplcnt_arr)); + gcb.tuplcnt_arr = OPENSSL_malloc_array(gcb.tplmax, sizeof(*gcb.tuplcnt_arr)); if (gcb.tuplcnt_arr == NULL) goto end; gcb.tuplcnt_arr[0] = 0; - gcb.ksid_arr = OPENSSL_malloc(gcb.ksidmax * sizeof(*gcb.ksid_arr)); + gcb.ksid_arr = OPENSSL_malloc_array(gcb.ksidmax, sizeof(*gcb.ksid_arr)); if (gcb.ksid_arr == NULL) goto end; @@ -2194,11 +2197,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) sigalgs_len = OSSL_NELEM(sigalg_lookup_tbl) + ctx->sigalg_list_len; - cache = OPENSSL_zalloc(sizeof(const SIGALG_LOOKUP) * sigalgs_len); + cache = OPENSSL_calloc(sigalgs_len, sizeof(const SIGALG_LOOKUP)); if (cache == NULL || tmpkey == NULL) goto err; - tls12_sigalgs_list = OPENSSL_zalloc(sizeof(uint16_t) * sigalgs_len); + tls12_sigalgs_list = OPENSSL_calloc(sigalgs_len, sizeof(uint16_t)); if (tls12_sigalgs_list == NULL) goto err; @@ -2956,7 +2959,7 @@ int tls1_set_server_sigalgs(SSL_CONNECTION *s) if (s->s3.tmp.valid_flags) memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); else - s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); + s->s3.tmp.valid_flags = OPENSSL_calloc(s->ssl_pkey_num, sizeof(uint32_t)); if (s->s3.tmp.valid_flags == NULL) return 0; /* @@ -3529,7 +3532,7 @@ static int tls1_set_shared_sigalgs(SSL_CONNECTION *s) } nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); if (nmatch) { - if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) + if ((salgs = OPENSSL_malloc_array(nmatch, sizeof(*salgs))) == NULL) return 0; nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); } else { @@ -3554,7 +3557,7 @@ int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) size >>= 1; - if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) + if ((buf = OPENSSL_malloc_array(size, sizeof(*buf))) == NULL) return 0; for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) buf[i] = stmp; @@ -3846,7 +3849,7 @@ int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, { uint16_t *sigalgs; - if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) + if ((sigalgs = OPENSSL_malloc_array(salglen, sizeof(*sigalgs))) == NULL) return 0; memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); @@ -3870,7 +3873,7 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) if (salglen & 1) return 0; - if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) + if ((sigalgs = OPENSSL_malloc_array(salglen / 2, sizeof(*sigalgs))) == NULL) return 0; for (i = 0, sptr = sigalgs; i < salglen; i += 2) { size_t j;