summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/openvpn/ssl_verify.c28
-rw-r--r--src/openvpn/ssl_verify_backend.h11
-rw-r--r--src/openvpn/ssl_verify_openssl.c17
-rw-r--r--src/openvpn/ssl_verify_polarssl.c17
4 files changed, 26 insertions, 47 deletions
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c4612f9..f84a4fb 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -383,6 +383,8 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert
)
{
char envname[64];
+ char *serial = NULL;
+ struct gc_arena gc = gc_new ();
/* Save X509 fields in environment */
#ifdef ENABLE_X509_TRACK
@@ -405,25 +407,21 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert
#ifdef ENABLE_EUREPHIA
/* export X509 cert SHA1 fingerprint */
{
- struct gc_arena gc = gc_new ();
unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert);
openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth);
setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1,
":", &gc));
x509_free_sha1_hash(sha1_hash);
- gc_free(&gc);
}
#endif
- /* export serial number as environmental variable,
- use bignum in case serial number is large */
- {
- char *serial = x509_get_serial(peer_cert);
- openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth);
- setenv_str (es, envname, serial);
- x509_free_serial(serial);
- }
+ /* export serial number as environmental variable */
+ serial = x509_get_serial(peer_cert, &gc);
+ openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth);
+ setenv_str (es, envname, serial);
+
+ gc_free(&gc);
}
/*
@@ -543,24 +541,26 @@ verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert)
{
char fn[256];
int fd;
- char *serial = x509_get_serial(cert);
+ struct gc_arena gc = gc_new();
+
+ char *serial = x509_get_serial(cert, &gc);
if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial))
{
msg (D_HANDSHAKE, "VERIFY CRL: filename overflow");
- x509_free_serial(serial);
+ gc_free(&gc);
return FAILURE;
}
fd = platform_open (fn, O_RDONLY, 0);
if (fd >= 0)
{
msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial);
- x509_free_serial(serial);
close(fd);
+ gc_free(&gc);
return FAILURE;
}
- x509_free_serial(serial);
+ gc_free(&gc);
return SUCCESS;
}
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index ac71d18..ab44f95 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -124,20 +124,13 @@ result_t x509_get_username (char *common_name, int cn_len,
* Return the certificate's serial number.
*
* The serial number is returned as a string, since it might be a bignum.
- * The returned string must be freed with \c verify_free_serial()
*
* @param cert Certificate to retrieve the serial number from.
+ * @param gc Garbage collection arena to use when allocating string.
*
* @return The certificate's serial number.
*/
-char *x509_get_serial (openvpn_x509_cert_t *cert);
-
-/*
- * Free a serial number string as returned by \c verify_get_serial()
- *
- * @param serial The string to be freed.
- */
-void x509_free_serial (char *serial);
+char *x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
/*
* Save X509 fields to environment, using the naming convention:
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index f5fe17a..a962426 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -219,25 +219,22 @@ x509_get_username (char *common_name, int cn_len,
}
char *
-x509_get_serial (openvpn_x509_cert_t *cert)
+x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
{
ASN1_INTEGER *asn1_i;
BIGNUM *bignum;
- char *serial;
+ char *openssl_serial, *serial;
asn1_i = X509_get_serialNumber(cert);
bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);
- serial = BN_bn2dec(bignum);
+ openssl_serial = BN_bn2dec(bignum);
+
+ serial = string_alloc(openssl_serial, gc);
BN_free(bignum);
- return serial;
-}
+ OPENSSL_free(openssl_serial);
-void
-x509_free_serial (char *serial)
-{
- if (serial)
- OPENSSL_free(serial);
+ return serial;
}
unsigned char *
diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c
index e151e87..384fe84 100644
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -125,32 +125,21 @@ x509_get_username (char *cn, int cn_len,
}
char *
-x509_get_serial (x509_cert *cert)
+x509_get_serial (x509_cert *cert, struct gc_arena *gc)
{
int ret = 0;
int i = 0;
char *buf = NULL;
size_t len = cert->serial.len * 3 + 1;
- buf = malloc(len);
- ASSERT(buf);
+ buf = gc_malloc(len, true, gc);
if(x509parse_serial_gets(buf, len-1, &cert->serial) < 0)
- {
- free(buf);
- buf = NULL;
- }
+ buf = NULL;
return buf;
}
-void
-x509_free_serial (char *serial)
-{
- if (serial)
- free(serial);
-}
-
unsigned char *
x509_get_sha1_hash (x509_cert *cert)
{
generated by cgit (git 2.34.1) at 2024-11-16 04:19:56 +0000