@@ -407,12 +407,11 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert

 #ifdef ENABLE_EUREPHIA

   /* export X509 cert SHA1 fingerprint */

   {

-    unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert);

+    unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert, &gc);

     openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth);

     setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1,

 					  ":", &gc));

-    x509_free_sha1_hash(sha1_hash);

   }

 #endif

@@ -620,14 +619,12 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep

   /* verify level 1 cert, i.e. the CA that signed our leaf cert */

   if (cert_depth == 1 && opt->verify_hash)

     {

-      unsigned char *sha1_hash = x509_get_sha1_hash(cert);

+      unsigned char *sha1_hash = x509_get_sha1_hash(cert, &gc);

       if (memcmp (sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH))

       {

 	msg (D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed");

-	x509_free_sha1_hash(sha1_hash);

 	goto err;

       }

-      x509_free_sha1_hash(sha1_hash);

     }

   /* save common name in session object */

@@ -89,20 +89,12 @@ char *x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc);

 /* Retrieve the certificate's SHA1 hash.

  *

- * The returned string must be freed with \c verify_free_sha1_hash()

- *

  * @param cert		Certificate to retrieve the hash from.

+ * @param gc		Garbage collection arena to use when allocating string.

  *

  * @return 		a string containing the SHA1 hash of the certificate

  */

-unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert);

-

-/*

- * Free a hash as returned by \c verify_get_hash()

- *

- * @param hash		The subject to be freed.

- */

-void x509_free_sha1_hash (unsigned char *hash);

+unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert, struct gc_arena *gc);

 /*

  * Retrieve the certificate's username from the specified field.

@@ -49,7 +49,6 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)

   struct tls_session *session;

   SSL *ssl;

   struct gc_arena gc = gc_new();

-  unsigned char *sha1_hash = NULL;

   /* get the tls_session pointer */

   ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx());

@@ -57,9 +56,8 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)

   session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index);

   ASSERT (session);

-  sha1_hash = x509_get_sha1_hash(ctx->current_cert);

-  cert_hash_remember (session, ctx->error_depth, sha1_hash);

-  x509_free_sha1_hash(sha1_hash);

+  cert_hash_remember (session, ctx->error_depth,

+      x509_get_sha1_hash(ctx->current_cert, &gc));

   /* did peer present cert which was signed by our root cert? */

   if (!preverify_ok)

@@ -238,20 +236,13 @@ x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)

 }

 unsigned char *

-x509_get_sha1_hash (X509 *cert)

+x509_get_sha1_hash (X509 *cert, struct gc_arena *gc)

 {

-  char *hash = malloc(SHA_DIGEST_LENGTH);

+  char *hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc);

   memcpy(hash, cert->sha1_hash, SHA_DIGEST_LENGTH);

   return hash;

 }

-void

-x509_free_sha1_hash (unsigned char *hash)

-{

-  if (hash)

-    free(hash);

-}

-

 char *

 x509_get_subject (X509 *cert, struct gc_arena *gc)

 {

@@ -48,7 +48,6 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth,

 {

   struct tls_session *session = (struct tls_session *) session_obj;

   struct gc_arena gc = gc_new();

-  unsigned char *sha1_hash = NULL;

   ASSERT (cert);

   ASSERT (session);

@@ -56,9 +55,7 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth,

   session->verified = false;

   /* Remember certificate hash */

-  sha1_hash = x509_get_sha1_hash(cert);

-  cert_hash_remember (session, cert_depth, sha1_hash);

-  x509_free_sha1_hash(sha1_hash);

+  cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc));

   /* did peer present cert which was signed by our root cert? */

   if (!preverify_ok)

@@ -141,20 +138,13 @@ x509_get_serial (x509_cert *cert, struct gc_arena *gc)

 }

 unsigned char *

-x509_get_sha1_hash (x509_cert *cert)

+x509_get_sha1_hash (x509_cert *cert, struct gc_arena *gc)

 {

-  unsigned char *sha1_hash = malloc(SHA_DIGEST_LENGTH);

+  unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc);

   sha1(cert->tbs.p, cert->tbs.len, sha1_hash);

   return sha1_hash;

 }

-void

-x509_free_sha1_hash (unsigned char *hash)

-{

-  if (hash)

-    free(hash);

-}

-

 char *

 x509_get_subject(x509_cert *cert, struct gc_arena *gc)

 {

@@ -173,7 +163,6 @@ x509_get_subject(x509_cert *cert, struct gc_arena *gc)

   return subject;

 }

-

 /*

  * Save X509 fields to environment, using the naming convention:

  *