diff options
author | Edward Thomson <ethomson@edwardthomson.com> | 2018-07-21 01:11:58 +0100 |
---|---|---|
committer | Edward Thomson <ethomson@edwardthomson.com> | 2018-07-20 17:21:51 -0700 |
commit | 9e002cd54b855c078379819b39dfaf9d9d8bf54a (patch) | |
tree | 5ca7fcbd9ddd5100009cb0ad842524b56844f8c4 | |
parent | 4e62d26ff429816747bf75e8e3913338427557bc (diff) | |
download | libgit2-9e002cd54b855c078379819b39dfaf9d9d8bf54a.tar.gz |
mbedtls: make ciphers_list a static array
Instead of allocating the ciphers_list, make it a static array. This
prevents us from leaking it or having to manage its memory.
-rw-r--r-- | src/streams/mbedtls.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c index 3e19c05ea..b6929cc63 100644 --- a/src/streams/mbedtls.c +++ b/src/streams/mbedtls.c @@ -43,12 +43,13 @@ #undef inline -mbedtls_ssl_config *git__ssl_conf; -mbedtls_entropy_context *mbedtls_entropy; - #define GIT_SSL_DEFAULT_CIPHERS "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-128-GCM-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-128-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-128-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA" #define GIT_SSL_DEFAULT_CIPHERS_COUNT 30 +mbedtls_ssl_config *git__ssl_conf; +static int ciphers_list[GIT_SSL_DEFAULT_CIPHERS_COUNT]; +mbedtls_entropy_context *mbedtls_entropy; + /** * This function aims to clean-up the SSL context which * we allocated. @@ -80,8 +81,7 @@ int git_mbedtls_stream_global_init(void) struct stat statbuf; mbedtls_ctr_drbg_context *ctr_drbg = NULL; - int *ciphers_list = NULL; - int ciphers_known = 0; + size_t ciphers_known = 0; char *cipher_name = NULL; char *cipher_string = NULL; char *cipher_string_tmp = NULL; @@ -109,9 +109,6 @@ int git_mbedtls_stream_global_init(void) mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL); /* set the list of allowed ciphersuites */ - ciphers_list = git__calloc(GIT_SSL_DEFAULT_CIPHERS_COUNT, sizeof(int)); - GITERR_CHECK_ALLOC(ciphers_list); - ciphers_known = 0; cipher_string = cipher_string_tmp = git__strdup(GIT_SSL_DEFAULT_CIPHERS); GITERR_CHECK_ALLOC(cipher_string); @@ -120,6 +117,11 @@ int git_mbedtls_stream_global_init(void) int cipherid = mbedtls_ssl_get_ciphersuite_id(cipher_name); if (cipherid == 0) continue; + if (ciphers_known >= ARRAY_SIZE(ciphers_list)) { + giterr_set(GITERR_SSL, "out of cipher list space"); + goto cleanup; + } + ciphers_list[ciphers_known++] = cipherid; } git__free(cipher_string); @@ -129,7 +131,6 @@ int git_mbedtls_stream_global_init(void) goto cleanup; } mbedtls_ssl_conf_ciphersuites(git__ssl_conf, ciphers_list); - git__free(ciphers_list); /* Seeding the random number generator */ mbedtls_entropy = git__malloc(sizeof(mbedtls_entropy_context)); @@ -167,7 +168,6 @@ cleanup: mbedtls_ctr_drbg_free(ctr_drbg); git__free(ctr_drbg); mbedtls_ssl_config_free(git__ssl_conf); - git__free(ciphers_list); git__free(git__ssl_conf); git__ssl_conf = NULL; |