revert previous accidental commit

diff --git a/lib/libcrypto/malloc-wrapper.c b/lib/libcrypto/malloc-wrapper.c
index d69b025..6ba0aad 100644 (file)
--- a/lib/libcrypto/malloc-wrapper.c
+++ b/lib/libcrypto/malloc-wrapper.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: malloc-wrapper.c,v 1.4 2017/04/28 22:38:51 beck Exp $ */
+/* $OpenBSD: malloc-wrapper.c,v 1.5 2017/04/28 22:46:40 beck Exp $ */
 /*
  * Copyright (c) 2014 Bob Beck
  *
@@ -165,7 +165,8 @@ CRYPTO_realloc_clean(void *ptr, int old_len, int num, const char *file,
        ret = malloc(num);
        if (ret && ptr && old_len > 0) {
                memcpy(ret, ptr, old_len);
-               freezero(ptr, old_len);
+               explicit_bzero(ptr, old_len);
+               free(ptr);
        }
        return ret;
 }

diff --git a/lib/libcrypto/rsa/rsa_eay.c b/lib/libcrypto/rsa/rsa_eay.c
index 128269a..f9f620a 100644 (file)
--- a/lib/libcrypto/rsa/rsa_eay.c
+++ b/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.47 2017/04/28 22:38:51 beck Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.48 2017/04/28 22:46:40 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -244,8 +244,10 @@ err:
                BN_CTX_end(ctx);
                BN_CTX_free(ctx);
        }
-       freezero(buf, num);
-
+       if (buf != NULL) {
+               explicit_bzero(buf, num);
+               free(buf);
+       }
        return r;
 }
 
@@ -466,8 +468,10 @@ err:
                BN_CTX_end(ctx);
                BN_CTX_free(ctx);
        }
-       freezero(buf, num);
-
+       if (buf != NULL) {
+               explicit_bzero(buf, num);
+               free(buf);
+       }
        return r;
 }
 
@@ -593,8 +597,10 @@ err:
                BN_CTX_end(ctx);
                BN_CTX_free(ctx);
        }
-       freezero(buf, num);
-
+       if (buf != NULL) {
+               explicit_bzero(buf, num);
+               free(buf);
+       }
        return r;
 }
 
@@ -694,8 +700,10 @@ err:
                BN_CTX_end(ctx);
                BN_CTX_free(ctx);
        }
-       freezero(buf, num);
-
+       if (buf != NULL) {
+               explicit_bzero(buf, num);
+               free(buf);
+       }
        return r;
 }
 

diff --git a/lib/libcrypto/rsa/rsa_saos.c b/lib/libcrypto/rsa/rsa_saos.c
index 50522b9..10184b6 100644 (file)
--- a/lib/libcrypto/rsa/rsa_saos.c
+++ b/lib/libcrypto/rsa/rsa_saos.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_saos.c,v 1.21 2017/04/28 22:38:51 beck Exp $ */
+/* $OpenBSD: rsa_saos.c,v 1.22 2017/04/28 22:46:40 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -96,8 +96,8 @@ RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
        else
                *siglen = i;
 
-       freezero(s, (unsigned int)j + 1);
-
+       explicit_bzero(s, (unsigned int)j + 1);
+       free(s);
        return ret;
 }
 
@@ -137,7 +137,9 @@ RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m,
                ret = 1;
 err:
        ASN1_OCTET_STRING_free(sig);
-       freezero(s, siglen);
-
+       if (s != NULL) {
+               explicit_bzero(s, (unsigned int)siglen);
+               free(s);
+       }
        return ret;
 }

diff --git a/lib/libcrypto/rsa/rsa_sign.c b/lib/libcrypto/rsa/rsa_sign.c
index 618ec15..818b88c 100644 (file)
--- a/lib/libcrypto/rsa/rsa_sign.c
+++ b/lib/libcrypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.27 2017/04/28 22:38:51 beck Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.28 2017/04/28 22:46:40 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -135,9 +135,10 @@ RSA_sign(int type, const unsigned char *m, unsigned int m_len,
        else
                *siglen = i;
 
-       if (type != NID_md5_sha1)
-               freezero(tmps, (unsigned int)j + 1);
-
+       if (type != NID_md5_sha1) {
+               explicit_bzero(tmps, (unsigned int)j + 1);
+               free(tmps);
+       }
        return (ret);
 }
 
@@ -233,9 +234,10 @@ int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
 err:
        if (sig != NULL)
                X509_SIG_free(sig);
-
-       freezero(s, (unsigned int)siglen);
-
+       if (s != NULL) {
+               explicit_bzero(s, (unsigned int)siglen);
+               free(s);
+       }
        return ret;
 }
 

diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 09d33d4..8c2f5b6 100644 (file)
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.62 2017/04/28 22:38:51 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.63 2017/04/28 22:46:40 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -541,7 +541,15 @@ X509_verify_cert(X509_STORE_CTX *ctx)
        /* Safety net, error returns must set ctx->error */
        if (ok <= 0 && ctx->error == X509_V_OK)
                ctx->error = X509_V_ERR_UNSPECIFIED;
-       return ok;
+
+       /*
+        * Safety net, if user provided verify callback indicates sucess
+        * make sure they have set error to X509_V_OK
+        */
+       if (ctx->verify_cb != null_callback && ok == 1)
+               ctx->error = X509_V_OK;
+
+       return(ctx->error == X509_V_OK);
 }
 
 /* Given a STACK_OF(X509) find the issuer of cert (if any)