diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2012-02-14 11:11:25 +0100 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2012-03-30 22:50:47 +0200 |
| commit | 025f30d7c6434aaf0ab4af3744f76aaf8c0b71d6 (patch) | |
| tree | c976ac306e542d7a49e546be38b037748b736c5d | |
| parent | 00b973f8af85c3ea8fa3cef80eec55e8dc139b27 (diff) | |
| download | openvpn-025f30d7c6434aaf0ab4af3744f76aaf8c0b71d6.tar.gz openvpn-025f30d7c6434aaf0ab4af3744f76aaf8c0b71d6.tar.xz openvpn-025f30d7c6434aaf0ab4af3744f76aaf8c0b71d6.zip | |
Migrated x509_get_serial to use the garbage collector
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
| -rw-r--r-- | src/openvpn/ssl_verify.c | 28 | ||||
| -rw-r--r-- | src/openvpn/ssl_verify_backend.h | 11 | ||||
| -rw-r--r-- | src/openvpn/ssl_verify_openssl.c | 17 | ||||
| -rw-r--r-- | src/openvpn/ssl_verify_polarssl.c | 17 |
4 files changed, 26 insertions, 47 deletions
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c4612f9..f84a4fb 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -383,6 +383,8 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert ) { char envname[64]; + char *serial = NULL; + struct gc_arena gc = gc_new (); /* Save X509 fields in environment */ #ifdef ENABLE_X509_TRACK @@ -405,25 +407,21 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert #ifdef ENABLE_EUREPHIA /* export X509 cert SHA1 fingerprint */ { - struct gc_arena gc = gc_new (); unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert); openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth); setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1, ":", &gc)); x509_free_sha1_hash(sha1_hash); - gc_free(&gc); } #endif - /* export serial number as environmental variable, - use bignum in case serial number is large */ - { - char *serial = x509_get_serial(peer_cert); - openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth); - setenv_str (es, envname, serial); - x509_free_serial(serial); - } + /* export serial number as environmental variable */ + serial = x509_get_serial(peer_cert, &gc); + openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth); + setenv_str (es, envname, serial); + + gc_free(&gc); } /* @@ -543,24 +541,26 @@ verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert) { char fn[256]; int fd; - char *serial = x509_get_serial(cert); + struct gc_arena gc = gc_new(); + + char *serial = x509_get_serial(cert, &gc); if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial)) { msg (D_HANDSHAKE, "VERIFY CRL: filename overflow"); - x509_free_serial(serial); + gc_free(&gc); return FAILURE; } fd = platform_open (fn, O_RDONLY, 0); if (fd >= 0) { msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); - x509_free_serial(serial); close(fd); + gc_free(&gc); return FAILURE; } - x509_free_serial(serial); + gc_free(&gc); return SUCCESS; } diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index ac71d18..ab44f95 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -124,20 +124,13 @@ result_t x509_get_username (char *common_name, int cn_len, * Return the certificate's serial number. * * The serial number is returned as a string, since it might be a bignum. - * The returned string must be freed with \c verify_free_serial() * * @param cert Certificate to retrieve the serial number from. + * @param gc Garbage collection arena to use when allocating string. * * @return The certificate's serial number. */ -char *x509_get_serial (openvpn_x509_cert_t *cert); - -/* - * Free a serial number string as returned by \c verify_get_serial() - * - * @param serial The string to be freed. - */ -void x509_free_serial (char *serial); +char *x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc); /* * Save X509 fields to environment, using the naming convention: diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index f5fe17a..a962426 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -219,25 +219,22 @@ x509_get_username (char *common_name, int cn_len, } char * -x509_get_serial (openvpn_x509_cert_t *cert) +x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) { ASN1_INTEGER *asn1_i; BIGNUM *bignum; - char *serial; + char *openssl_serial, *serial; asn1_i = X509_get_serialNumber(cert); bignum = ASN1_INTEGER_to_BN(asn1_i, NULL); - serial = BN_bn2dec(bignum); + openssl_serial = BN_bn2dec(bignum); + + serial = string_alloc(openssl_serial, gc); BN_free(bignum); - return serial; -} + OPENSSL_free(openssl_serial); -void -x509_free_serial (char *serial) -{ - if (serial) - OPENSSL_free(serial); + return serial; } unsigned char * diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c index e151e87..384fe84 100644 --- a/src/openvpn/ssl_verify_polarssl.c +++ b/src/openvpn/ssl_verify_polarssl.c @@ -125,32 +125,21 @@ x509_get_username (char *cn, int cn_len, } char * -x509_get_serial (x509_cert *cert) +x509_get_serial (x509_cert *cert, struct gc_arena *gc) { int ret = 0; int i = 0; char *buf = NULL; size_t len = cert->serial.len * 3 + 1; - buf = malloc(len); - ASSERT(buf); + buf = gc_malloc(len, true, gc); if(x509parse_serial_gets(buf, len-1, &cert->serial) < 0) - { - free(buf); - buf = NULL; - } + buf = NULL; return buf; } -void -x509_free_serial (char *serial) -{ - if (serial) - free(serial); -} - unsigned char * x509_get_sha1_hash (x509_cert *cert) { |