Migrated x509_get_sha1_hash to use the garbage collector

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index f84a4fb11ef53acbc1471b7f3df0463fc2d5af16..578352802c2cc5c6f4774995e30eafa5b5970f34 100644 (file)
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -407,12 +407,11 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert
 #ifdef ENABLE_EUREPHIA
   /* export X509 cert SHA1 fingerprint */
   {
-    unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert);
+    unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert, &gc);
 
     openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth);
     setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1,
                                          ":", &gc));
-    x509_free_sha1_hash(sha1_hash);
   }
 #endif
 
@@ -620,14 +619,12 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
   /* verify level 1 cert, i.e. the CA that signed our leaf cert */
   if (cert_depth == 1 && opt->verify_hash)
     {
-      unsigned char *sha1_hash = x509_get_sha1_hash(cert);
+      unsigned char *sha1_hash = x509_get_sha1_hash(cert, &gc);
       if (memcmp (sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH))
       {
        msg (D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed");
-       x509_free_sha1_hash(sha1_hash);
        goto err;
       }
-      x509_free_sha1_hash(sha1_hash);
     }
 
   /* save common name in session object */

diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index ab44f951cbeb75d1cabf5282c7115fce2b2d8aff..1658cc02c1ea028b96614c2de993d8ffa4a19f3d 100644 (file)
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -88,21 +88,13 @@ void cert_hash_remember (struct tls_session *session, const int cert_depth,
 char *x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc);
 
 /* Retrieve the certificate's SHA1 hash.
- *
- * The returned string must be freed with \c verify_free_sha1_hash()
  *
  * @param cert         Certificate to retrieve the hash from.
+ * @param gc           Garbage collection arena to use when allocating string.
  *
  * @return             a string containing the SHA1 hash of the certificate
  */
-unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert);
-
-/*
- * Free a hash as returned by \c verify_get_hash()
- *
- * @param hash         The subject to be freed.
- */
-void x509_free_sha1_hash (unsigned char *hash);
+unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert, struct gc_arena *gc);
 
 /*
  * Retrieve the certificate's username from the specified field.

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index a9624267619887a46b4c836d405fbce773d5af40..4dfabfc014f66d15db2a4312bd012a2db37b9a20 100644 (file)
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -49,7 +49,6 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
   struct tls_session *session;
   SSL *ssl;
   struct gc_arena gc = gc_new();
-  unsigned char *sha1_hash = NULL;
 
   /* get the tls_session pointer */
   ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
@@ -57,9 +56,8 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
   session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index);
   ASSERT (session);
 
-  sha1_hash = x509_get_sha1_hash(ctx->current_cert);
-  cert_hash_remember (session, ctx->error_depth, sha1_hash);
-  x509_free_sha1_hash(sha1_hash);
+  cert_hash_remember (session, ctx->error_depth,
+      x509_get_sha1_hash(ctx->current_cert, &gc));
 
   /* did peer present cert which was signed by our root cert? */
   if (!preverify_ok)
@@ -238,20 +236,13 @@ x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 }
 
 unsigned char *
-x509_get_sha1_hash (X509 *cert)
+x509_get_sha1_hash (X509 *cert, struct gc_arena *gc)
 {
-  char *hash = malloc(SHA_DIGEST_LENGTH);
+  char *hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc);
   memcpy(hash, cert->sha1_hash, SHA_DIGEST_LENGTH);
   return hash;
 }
 
-void
-x509_free_sha1_hash (unsigned char *hash)
-{
-  if (hash)
-    free(hash);
-}
-
 char *
 x509_get_subject (X509 *cert, struct gc_arena *gc)
 {

diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c
index 384fe84281f7b7fb4fe29b9bf1ce041728cec5a3..d9d4fd584be7504bb3df01a52a8e0df22af581dd 100644 (file)
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -48,7 +48,6 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth,
 {
   struct tls_session *session = (struct tls_session *) session_obj;
   struct gc_arena gc = gc_new();
-  unsigned char *sha1_hash = NULL;
 
   ASSERT (cert);
   ASSERT (session);
@@ -56,9 +55,7 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth,
   session->verified = false;
 
   /* Remember certificate hash */
-  sha1_hash = x509_get_sha1_hash(cert);
-  cert_hash_remember (session, cert_depth, sha1_hash);
-  x509_free_sha1_hash(sha1_hash);
+  cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc));
 
   /* did peer present cert which was signed by our root cert? */
   if (!preverify_ok)
@@ -141,20 +138,13 @@ x509_get_serial (x509_cert *cert, struct gc_arena *gc)
 }
 
 unsigned char *
-x509_get_sha1_hash (x509_cert *cert)
+x509_get_sha1_hash (x509_cert *cert, struct gc_arena *gc)
 {
-  unsigned char *sha1_hash = malloc(SHA_DIGEST_LENGTH);
+  unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc);
   sha1(cert->tbs.p, cert->tbs.len, sha1_hash);
   return sha1_hash;
 }
 
-void
-x509_free_sha1_hash (unsigned char *hash)
-{
-  if (hash)
-    free(hash);
-}
-
 char *
 x509_get_subject(x509_cert *cert, struct gc_arena *gc)
 {
@@ -173,7 +163,6 @@ x509_get_subject(x509_cert *cert, struct gc_arena *gc)
   return subject;
 }
 
-
 /*
  * Save X509 fields to environment, using the naming convention:
  *