interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Revise all TLS interfaces to pass in GetDNS memory functions where necessary. 

This means we can remove OpenSSL_free() calls from request-internal.c and util-internal.c.
This commit is contained in:
Jim Hague 2018-11-27 14:41:46 +00:00
parent bc3106af94
commit 5e390a4b23
6 changed files with 105 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/context.c
View File

@ -633,11 +633,11 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
}
}
if (upstream->tls_session != NULL)
_getdns_tls_session_free(upstream->tls_session);
_getdns_tls_session_free(&upstreams->mf, upstream->tls_session);
if (upstream->tls_obj != NULL) {
_getdns_tls_connection_shutdown(upstream->tls_obj);
_getdns_tls_connection_free(upstream->tls_obj);
_getdns_tls_connection_free(&upstreams->mf, upstream->tls_obj);
}
if (upstream->fd != -1)
{
@ -750,7 +750,7 @@ _getdns_upstream_reset(getdns_upstream *upstream)
}
if (upstream->tls_obj != NULL) {
_getdns_tls_connection_shutdown(upstream->tls_obj);
_getdns_tls_connection_free(upstream->tls_obj);
_getdns_tls_connection_free(&upstream->upstreams->mf, upstream->tls_obj);
upstream->tls_obj = NULL;
}
if (upstream->fd != -1) {
@ -1681,7 +1681,7 @@ getdns_context_destroy(struct getdns_context *context)
GETDNS_FREE(context->my_mf, context->dns_transports);
if (context->tls_ctx)
_getdns_tls_context_free(context->tls_ctx);
_getdns_tls_context_free(&context->my_mf, context->tls_ctx);
getdns_list_destroy(context->dns_root_servers);
@ -3544,13 +3544,13 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
}
if (context->tls_ctx == NULL) {
context->tls_ctx = _getdns_tls_context_new();
context->tls_ctx = _getdns_tls_context_new(&context->my_mf);
if (context->tls_ctx == NULL)
return GETDNS_RETURN_BAD_CONTEXT;
r = _getdns_tls_context_set_min_proto_1_2(context->tls_ctx);
if (r && r != GETDNS_RETURN_NOT_IMPLEMENTED) {
_getdns_tls_context_free(context->tls_ctx);
_getdns_tls_context_free(&context->my_mf, context->tls_ctx);
context->tls_ctx = NULL;
return GETDNS_RETURN_BAD_CONTEXT;
}

84
src/openssl/tls.c
View File

@ -73,14 +73,14 @@ static int _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
return 1;
}
static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert)
static _getdns_tls_x509* _getdns_tls_x509_new(struct mem_funcs* mfs, X509* cert)
{
_getdns_tls_x509* res;
if (!cert)
return NULL;
res = malloc(sizeof(_getdns_tls_x509));
res = GETDNS_MALLOC(*mfs, _getdns_tls_x509);
if (res)
res->ssl = cert;
@ -187,11 +187,11 @@ void _getdns_tls_init()
(void)OPENSSL_init_ssl(0, NULL);
}
_getdns_tls_context* _getdns_tls_context_new()
_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs)
{
_getdns_tls_context* res;
if (!(res = malloc(sizeof(struct _getdns_tls_context))))
if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context)))
return NULL;
/* Create client context, use TLS v1.2 only for now */
@ -201,18 +201,18 @@ _getdns_tls_context* _getdns_tls_context_new()
res->ssl = SSL_CTX_new(TLSv1_2_client_method());
# endif
if(res->ssl == NULL) {
free(res);
GETDNS_FREE(*mfs, res);
return NULL;
}
return res;
}
getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx)
getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx)
{
if (!ctx || !ctx->ssl)
return GETDNS_RETURN_INVALID_PARAMETER;
SSL_CTX_free(ctx->ssl);
free(ctx);
GETDNS_FREE(*mfs, ctx);
return GETDNS_RETURN_GOOD;
}
@ -270,25 +270,25 @@ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char*
return GETDNS_RETURN_GENERIC_ERROR;
}
_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd)
_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd)
{
_getdns_tls_connection* res;
if (!ctx || !ctx->ssl)
return NULL;
if (!(res = malloc(sizeof(struct _getdns_tls_connection))))
if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_connection)))
return NULL;
res->ssl = SSL_new(ctx->ssl);
if (!res->ssl) {
free(res);
GETDNS_FREE(*mfs, res);
return NULL;
}
if (!SSL_set_fd(res->ssl, fd)) {
SSL_free(res->ssl);
free(res);
GETDNS_FREE(*mfs, res);
return NULL;
}
@ -300,12 +300,12 @@ _getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int
return res;
}
getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* conn)
getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn)
{
if (!conn || !conn->ssl)
return GETDNS_RETURN_INVALID_PARAMETER;
SSL_free(conn->ssl);
free(conn);
GETDNS_FREE(*mfs, conn);
return GETDNS_RETURN_GOOD;
}
@ -353,19 +353,19 @@ getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn,
return GETDNS_RETURN_GOOD;
}
_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn)
_getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _getdns_tls_connection* conn)
{
_getdns_tls_session* res;
if (!conn || !conn->ssl)
return NULL;
if (!(res = malloc(sizeof(struct _getdns_tls_session))))
if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_session)))
return NULL;
res->ssl = SSL_get1_session(conn->ssl);
if (!res->ssl) {
free(res);
GETDNS_FREE(*mfs, res);
return NULL;
}
@ -404,12 +404,12 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn
}
}
_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn)
_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(struct mem_funcs* mfs, _getdns_tls_connection* conn)
{
if (!conn || !conn->ssl)
return NULL;
return _getdns_tls_x509_new(SSL_get_peer_certificate(conn->ssl));
return _getdns_tls_x509_new(mfs, SSL_get_peer_certificate(conn->ssl));
}
getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn)
@ -552,12 +552,12 @@ getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8
return GETDNS_RETURN_GOOD;
}
getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s)
getdns_return_t _getdns_tls_session_free(struct mem_funcs* mfs, _getdns_tls_session* s)
{
if (!s || !s->ssl)
return GETDNS_RETURN_INVALID_PARAMETER;
SSL_SESSION_free(s->ssl);
free(s);
GETDNS_FREE(*mfs, s);
return GETDNS_RETURN_GOOD;
}
@ -594,22 +594,38 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict)
return GETDNS_RETURN_GENERIC_ERROR;
}
void _getdns_tls_x509_free(_getdns_tls_x509* cert)
void _getdns_tls_x509_free(struct mem_funcs* mfs, _getdns_tls_x509* cert)
{
if (cert && cert->ssl)
X509_free(cert->ssl);
free(cert);
GETDNS_FREE(*mfs, cert);
}
int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf)
int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdns_bindata* bindata)
{
if (!cert || !cert->ssl)
unsigned char* buf = NULL;
int len;
if (!cert || !cert->ssl )
return 0;
return i2d_X509(cert->ssl, buf);
if (bindata == NULL)
return i2d_X509(cert->ssl, NULL);
len = i2d_X509(cert->ssl, &buf);
if (len == 0 || (bindata->data = GETDNS_XMALLOC(*mfs, uint8_t, len)) == NULL) {
bindata->size = 0;
bindata->data = NULL;
} else {
bindata->size = len;
(void) memcpy(bindata->data, buf, len);
OPENSSL_free(buf);
}
return len;
}
unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size)
unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size)
{
const EVP_MD* digester;
unsigned char* res;
@ -637,7 +653,7 @@ unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_
default : return NULL;
}
res = (unsigned char*) malloc(EVP_MAX_MD_SIZE);
res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE);
if (!res)
return NULL;
@ -648,7 +664,7 @@ unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_
return res;
}
_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size)
_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
{
const EVP_MD *digester;
_getdns_tls_hmac* res;
@ -675,13 +691,13 @@ _getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t ke
default : return NULL;
}
if (!(res = malloc(sizeof(struct _getdns_tls_hmac))))
if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
return NULL;
#ifdef HAVE_HMAC_CTX_NEW
res->ctx = HMAC_CTX_new();
if (!res->ctx) {
free(res);
GETDNS_FREE(*mfs, res);
return NULL;
}
#else
@ -692,7 +708,7 @@ _getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t ke
#ifdef HAVE_HMAC_CTX_NEW
HMAC_CTX_free(res->ctx);
#endif
free(res);
GETDNS_FREE(*mfs, res);
return NULL;
}
@ -710,12 +726,12 @@ getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size
return GETDNS_RETURN_GOOD;
}
unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size)
unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
{
unsigned char* res;
unsigned int md_len;
res = (unsigned char*) malloc(EVP_MAX_MD_SIZE);
res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE);
if (!res)
return NULL;
@ -724,7 +740,7 @@ unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size)
#ifdef HAVE_HMAC_CTX_NEW
HMAC_CTX_free(h->ctx);
#endif
free(h);
GETDNS_FREE(*mfs, h);
if (output_size)
*output_size = md_len;

12
src/request-internal.c
View File

@ -125,7 +125,7 @@ network_req_cleanup(getdns_network_req *net_req)
GETDNS_FREE(net_req->owner->my_mf, net_req->response);
if (net_req->debug_tls_peer_cert.size &&
net_req->debug_tls_peer_cert.data)
OPENSSL_free(net_req->debug_tls_peer_cert.data);
GETDNS_FREE(net_req->owner->my_mf, net_req->debug_tls_peer_cert.data);
}
static uint8_t *
@ -435,7 +435,7 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
gldns_buffer_write_u16(&gbuf, 0); /* Error */
gldns_buffer_write_u16(&gbuf, 0); /* Other len */
md_buf = _getdns_tls_hmac_hash(upstream->tsig_alg, upstream->tsig_key, upstream->tsig_size, (void *)req->query, gldns_buffer_current(&gbuf) - req->query, &md_len);
md_buf = _getdns_tls_hmac_hash(&req->owner->my_mf, upstream->tsig_alg, upstream->tsig_key, upstream->tsig_size, (void *)req->query, gldns_buffer_current(&gbuf) - req->query, &md_len);
if (!md_buf)
return req->response - req->query;
@ -457,7 +457,7 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
gldns_buffer_write_u16(&gbuf, 0); /* Error */
gldns_buffer_write_u16(&gbuf, 0); /* Other len */
free(md_buf);
GETDNS_FREE(req->owner->my_mf, md_buf);
if (gldns_buffer_position(&gbuf) > gldns_buffer_limit(&gbuf))
return req->response - req->query;
@ -595,14 +595,14 @@ _getdns_network_validate_tsig(getdns_network_req *req)
gldns_read_uint16(req->response + 10) - 1);
gldns_write_uint16(req->response, original_id);
hmac = _getdns_tls_hmac_new(req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size);
hmac = _getdns_tls_hmac_new(&req->owner->my_mf, req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size);
if (!hmac)
return;
_getdns_tls_hmac_add(hmac, request_mac - 2, request_mac_len + 2);
_getdns_tls_hmac_add(hmac, req->response, rr->pos - req->response);
_getdns_tls_hmac_add(hmac, tsig_vars, gldns_buffer_position(&gbuf));
result_mac = _getdns_tls_hmac_end(hmac, &result_mac_len);
result_mac = _getdns_tls_hmac_end(&req->owner->my_mf, hmac, &result_mac_len);
if (!result_mac)
return;
@ -612,6 +612,8 @@ _getdns_network_validate_tsig(getdns_network_req *req)
memcmp(result_mac, response_mac, result_mac_len) == 0)
req->tsig_status = GETDNS_DNSSEC_SECURE;
GETDNS_FREE(req->owner->my_mf, result_mac);
gldns_write_uint16(req->response, gldns_read_uint16(req->query));
gldns_write_uint16(req->response + 10,
gldns_read_uint16(req->response + 10) + 1);

21
src/stub.c
View File

@ -830,7 +830,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
getdns_context *context = dnsreq->context;
if (context->tls_ctx == NULL)
return NULL;
_getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd);
_getdns_tls_connection* tls = _getdns_tls_connection_new(&context->my_mf, context->tls_ctx, fd);
if(!tls)
return NULL;
#if HAVE_TLS_CONN_CURVES_LIST
@ -839,7 +839,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
#endif
/* make sure we'll be able to find the context again when we need it */
if (_getdns_associate_upstream_with_connection(tls, upstream) != GETDNS_RETURN_GOOD) {
_getdns_tls_connection_free(tls);
_getdns_tls_connection_free(&context->my_mf, tls);
return NULL;
}
@ -871,7 +871,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
"%-40s : Verify fail: *CONFIG ERROR* - No auth name or pinset provided for this upstream for Strict TLS authentication\n",
upstream->addr_str);
upstream->tls_hs_state = GETDNS_HS_FAILED;
_getdns_tls_connection_free(tls);
_getdns_tls_connection_free(&upstream->upstreams->mf, tls);
upstream->tls_auth_state = GETDNS_AUTH_FAILED;
return NULL;
}
@ -947,7 +947,7 @@ tls_do_handshake(getdns_upstream *upstream)
upstream->tls_auth_state = upstream->last_tls_auth_state;
else if (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]) {
_getdns_tls_x509* peer_cert = _getdns_tls_connection_get_peer_certificate(upstream->tls_obj);
_getdns_tls_x509* peer_cert = _getdns_tls_connection_get_peer_certificate(&upstream->upstreams->mf, upstream->tls_obj);
if (!peer_cert) {
_getdns_upstream_log(upstream,
@ -994,7 +994,7 @@ tls_do_handshake(getdns_upstream *upstream)
"%-40s : Verify passed : TLS\n",
upstream->addr_str);
}
_getdns_tls_x509_free(peer_cert);
_getdns_tls_x509_free(&upstream->upstreams->mf, peer_cert);
}
if (upstream->tls_auth_state == GETDNS_AUTH_FAILED
&& !upstream->tls_fallback_ok)
@ -1008,8 +1008,8 @@ tls_do_handshake(getdns_upstream *upstream)
upstream->conn_state = GETDNS_CONN_OPEN;
upstream->conn_completed++;
if (upstream->tls_session != NULL)
_getdns_tls_session_free(upstream->tls_session);
upstream->tls_session = _getdns_tls_connection_get_session(upstream->tls_obj);
_getdns_tls_session_free(&upstream->upstreams->mf, upstream->tls_session);
upstream->tls_session = _getdns_tls_connection_get_session(&upstream->upstreams->mf, upstream->tls_obj);
/* Reset timeout on success*/
GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
upstream->event.read_cb = NULL;
@ -1634,10 +1634,9 @@ upstream_write_cb(void *userarg)
if (netreq->owner->return_call_reporting &&
netreq->upstream->tls_obj) {
if (netreq->debug_tls_peer_cert.data == NULL &&
(cert = _getdns_tls_connection_get_peer_certificate(netreq->upstream->tls_obj))) {
netreq->debug_tls_peer_cert.size = _getdns_tls_x509_to_der(
cert, &netreq->debug_tls_peer_cert.data);
_getdns_tls_x509_free(cert);
(cert = _getdns_tls_connection_get_peer_certificate(&upstream->upstreams->mf, netreq->upstream->tls_obj))) {
_getdns_tls_x509_to_der(&upstream->upstreams->mf, cert, &netreq->debug_tls_peer_cert);
_getdns_tls_x509_free(&upstream->upstreams->mf, cert);
}
netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj);
}

44
src/tls.h
View File

@ -55,18 +55,20 @@ void _getdns_tls_init();
/**
* Create a new TLS context.
*
* @param mfs point to getdns memory functions.
* @return pointer to new context or NULL on error.
*/
_getdns_tls_context* _getdns_tls_context_new();
_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs);
/**
* Free a TLS context.
*
* @param mfs point to getdns memory functions.
* @param ctx the context to free.
* @return GETDNS_RETURN_GOOD on success.
* @return GETDNS_RETURN_INVALID_PARAMETER if <code>ctx</code> is invalid.
*/
getdns_return_t _getdns_tls_context_free(_getdns_tls_context* ctx);
getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx);
/**
* Set TLS 1.2 as minimum TLS version.
@ -121,20 +123,22 @@ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char*
/**
* Create a new TLS connection and associate it with a file descriptior.
*
* @param mfs pointer to getdns memory functions.
* @param ctx the context.
* @param fd the file descriptor to associate with the connection.
* @return pointer to new connection or NULL on error.
*/
_getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int fd);
_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd);
/**
* Free a TLS connection.
*
* @param mfs pointer to getdns memory functions.
* @param conn the connection to free.
* @return GETDNS_RETURN_GOOD on success.
* @return GETDNS_RETURN_INVALID_PARAMETER if <code>conn</code> is invalid.
*/
getdns_return_t _getdns_tls_connection_free(_getdns_tls_connection* ctx);
getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn);
/**
* Shut down a TLS connection.
@ -184,10 +188,11 @@ getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn,
/**
* Get the session for this connection.
*
* @param mfs pointer to getdns memory functions.
* @param conn the connection.
* @return pointer to the session or NULL on error.
*/
_getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
_getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _getdns_tls_connection* conn);
/**
* Report the TLS version of the connection.
@ -212,10 +217,11 @@ getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn
/**
* Get the connection peer certificate.
*
* @param mfs pointer to getdns memory functions.
* @param conn the connection.
* @return certificate or NULL on error.
*/
_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(_getdns_tls_connection* conn);
_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(struct mem_funcs* mfs, _getdns_tls_connection* conn);
/**
* See whether the connection is reusing a session.
@ -289,23 +295,32 @@ getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_
*/
getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written);
getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s);
/**
* Free a session.
*
* @param mfs pointer to getdns memory functions.
* @param s the session.
* @return GETDNS_RETURN_GOOD on success.
* @return GETDNS_RETURN_INVALID_PARAMETER if s is null or has no SSL.
*/
getdns_return_t _getdns_tls_session_free(struct mem_funcs* mfs, _getdns_tls_session* s);
/**
* Free X509 certificate.
*
* @param mfs pointer to getdns memory functions.
* @param cert the certificate.
*/
void _getdns_tls_x509_free(_getdns_tls_x509* cert);
void _getdns_tls_x509_free(struct mem_funcs* mfs, _getdns_tls_x509* cert);
/**
* Convert X509 to DER.
*
* @param cert the certificate.
* @param buf buffer to receive conversion. NULL to just get the length.
* @param buf buffer to receive conversion.
* @return length of conversion, 0 on error.
*/
int _getdns_tls_x509_to_der(_getdns_tls_x509* cert, uint8_t** buf);
int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdns_bindata* bindata);
/**
* Fill in dictionary with TLS API information.
@ -319,6 +334,7 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
/**
* Return buffer with HMAC hash.
*
* @param mfs pointer to getdns memory functions.
* @param algorithm hash algorithm to use (<code>GETDNS_HMAC_?</code>).
* @param key the key.
* @param key_size the key size.
@ -327,17 +343,18 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
* @param output_size the output size will be written here if not NULL.
* @return output malloc'd buffer with output, NULL on error.
*/
unsigned char* _getdns_tls_hmac_hash(int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);
unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);
/**
* Return a new HMAC handle.
*
* @param mfs pointer to getdns memory functions.
* @param algorithm hash algorithm to use (<code>GETDNS_HMAC_?</code>).
* @param key the key.
* @param key_size the key size.
* @return HMAC handle or NULL on error.
*/
_getdns_tls_hmac* _getdns_tls_hmac_new(int algorithm, const void* key, size_t key_size);
_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size);
/**
* Add data to a HMAC.
@ -354,10 +371,11 @@ getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size
/**
* Return the HMAC digest and free the handle.
*
* @param mfs pointer to getdns memory functions.
* @param h the HMAC.
* @param output_size the output size will be written here if not NULL.
* @return output malloc'd buffer with output, NULL on error.
*/
unsigned char* _getdns_tls_hmac_end(_getdns_tls_hmac* h, size_t* output_size);
unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size);
#endif /* _GETDNS_TLS_H */

2
src/util-internal.c
View File

@ -933,7 +933,7 @@ _getdns_create_call_reporting_dict(
return NULL;
}
netreq->debug_tls_peer_cert.size = 0;
OPENSSL_free(netreq->debug_tls_peer_cert.data);
GETDNS_FREE(context->my_mf, netreq->debug_tls_peer_cert.data);
netreq->debug_tls_peer_cert.data = NULL;
return netreq_debug;
}