From 8e5613c2a8545a67cab2734569a8f088100d731b Mon Sep 17 00:00:00 2001 From: Adriaan de Jong Date: Tue, 14 Feb 2012 11:11:26 +0100 Subject: Migrated x509_get_sha1_hash to use the garbage collector Signed-off-by: Adriaan de Jong Acked-by: James Yonan Acked-by: David Sommerseth Signed-off-by: David Sommerseth --- src/openvpn/ssl_verify.c | 7 ++----- src/openvpn/ssl_verify_backend.h | 12 ++---------- src/openvpn/ssl_verify_openssl.c | 17 ++++------------- src/openvpn/ssl_verify_polarssl.c | 17 +++-------------- 4 files changed, 11 insertions(+), 42 deletions(-) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index f84a4fb..5783528 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -407,12 +407,11 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert #ifdef ENABLE_EUREPHIA /* export X509 cert SHA1 fingerprint */ { - unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert); + unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert, &gc); openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth); setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1, ":", &gc)); - x509_free_sha1_hash(sha1_hash); } #endif @@ -620,14 +619,12 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep /* verify level 1 cert, i.e. the CA that signed our leaf cert */ if (cert_depth == 1 && opt->verify_hash) { - unsigned char *sha1_hash = x509_get_sha1_hash(cert); + unsigned char *sha1_hash = x509_get_sha1_hash(cert, &gc); if (memcmp (sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH)) { msg (D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed"); - x509_free_sha1_hash(sha1_hash); goto err; } - x509_free_sha1_hash(sha1_hash); } /* save common name in session object */ diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index ab44f95..1658cc0 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -88,21 +88,13 @@ void cert_hash_remember (struct tls_session *session, const int cert_depth, char *x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc); /* Retrieve the certificate's SHA1 hash. - * - * The returned string must be freed with \c verify_free_sha1_hash() * * @param cert Certificate to retrieve the hash from. + * @param gc Garbage collection arena to use when allocating string. * * @return a string containing the SHA1 hash of the certificate */ -unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert); - -/* - * Free a hash as returned by \c verify_get_hash() - * - * @param hash The subject to be freed. - */ -void x509_free_sha1_hash (unsigned char *hash); +unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert, struct gc_arena *gc); /* * Retrieve the certificate's username from the specified field. diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index a962426..4dfabfc 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -49,7 +49,6 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) struct tls_session *session; SSL *ssl; struct gc_arena gc = gc_new(); - unsigned char *sha1_hash = NULL; /* get the tls_session pointer */ ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); @@ -57,9 +56,8 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index); ASSERT (session); - sha1_hash = x509_get_sha1_hash(ctx->current_cert); - cert_hash_remember (session, ctx->error_depth, sha1_hash); - x509_free_sha1_hash(sha1_hash); + cert_hash_remember (session, ctx->error_depth, + x509_get_sha1_hash(ctx->current_cert, &gc)); /* did peer present cert which was signed by our root cert? */ if (!preverify_ok) @@ -238,20 +236,13 @@ x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) } unsigned char * -x509_get_sha1_hash (X509 *cert) +x509_get_sha1_hash (X509 *cert, struct gc_arena *gc) { - char *hash = malloc(SHA_DIGEST_LENGTH); + char *hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc); memcpy(hash, cert->sha1_hash, SHA_DIGEST_LENGTH); return hash; } -void -x509_free_sha1_hash (unsigned char *hash) -{ - if (hash) - free(hash); -} - char * x509_get_subject (X509 *cert, struct gc_arena *gc) { diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c index 384fe84..d9d4fd5 100644 --- a/src/openvpn/ssl_verify_polarssl.c +++ b/src/openvpn/ssl_verify_polarssl.c @@ -48,7 +48,6 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth, { struct tls_session *session = (struct tls_session *) session_obj; struct gc_arena gc = gc_new(); - unsigned char *sha1_hash = NULL; ASSERT (cert); ASSERT (session); @@ -56,9 +55,7 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth, session->verified = false; /* Remember certificate hash */ - sha1_hash = x509_get_sha1_hash(cert); - cert_hash_remember (session, cert_depth, sha1_hash); - x509_free_sha1_hash(sha1_hash); + cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc)); /* did peer present cert which was signed by our root cert? */ if (!preverify_ok) @@ -141,20 +138,13 @@ x509_get_serial (x509_cert *cert, struct gc_arena *gc) } unsigned char * -x509_get_sha1_hash (x509_cert *cert) +x509_get_sha1_hash (x509_cert *cert, struct gc_arena *gc) { - unsigned char *sha1_hash = malloc(SHA_DIGEST_LENGTH); + unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc); sha1(cert->tbs.p, cert->tbs.len, sha1_hash); return sha1_hash; } -void -x509_free_sha1_hash (unsigned char *hash) -{ - if (hash) - free(hash); -} - char * x509_get_subject(x509_cert *cert, struct gc_arena *gc) { @@ -173,7 +163,6 @@ x509_get_subject(x509_cert *cert, struct gc_arena *gc) return subject; } - /* * Save X509 fields to environment, using the naming convention: * -- cgit