Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
... | ... |
@@ -407,12 +407,11 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert |
407 | 407 |
#ifdef ENABLE_EUREPHIA |
408 | 408 |
/* export X509 cert SHA1 fingerprint */ |
409 | 409 |
{ |
410 |
- unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert); |
|
410 |
+ unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert, &gc); |
|
411 | 411 |
|
412 | 412 |
openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth); |
413 | 413 |
setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1, |
414 | 414 |
":", &gc)); |
415 |
- x509_free_sha1_hash(sha1_hash); |
|
416 | 415 |
} |
417 | 416 |
#endif |
418 | 417 |
|
... | ... |
@@ -620,14 +619,12 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep |
620 | 620 |
/* verify level 1 cert, i.e. the CA that signed our leaf cert */ |
621 | 621 |
if (cert_depth == 1 && opt->verify_hash) |
622 | 622 |
{ |
623 |
- unsigned char *sha1_hash = x509_get_sha1_hash(cert); |
|
623 |
+ unsigned char *sha1_hash = x509_get_sha1_hash(cert, &gc); |
|
624 | 624 |
if (memcmp (sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH)) |
625 | 625 |
{ |
626 | 626 |
msg (D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed"); |
627 |
- x509_free_sha1_hash(sha1_hash); |
|
628 | 627 |
goto err; |
629 | 628 |
} |
630 |
- x509_free_sha1_hash(sha1_hash); |
|
631 | 629 |
} |
632 | 630 |
|
633 | 631 |
/* save common name in session object */ |
... | ... |
@@ -89,20 +89,12 @@ char *x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc); |
89 | 89 |
|
90 | 90 |
/* Retrieve the certificate's SHA1 hash. |
91 | 91 |
* |
92 |
- * The returned string must be freed with \c verify_free_sha1_hash() |
|
93 |
- * |
|
94 | 92 |
* @param cert Certificate to retrieve the hash from. |
93 |
+ * @param gc Garbage collection arena to use when allocating string. |
|
95 | 94 |
* |
96 | 95 |
* @return a string containing the SHA1 hash of the certificate |
97 | 96 |
*/ |
98 |
-unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert); |
|
99 |
- |
|
100 |
-/* |
|
101 |
- * Free a hash as returned by \c verify_get_hash() |
|
102 |
- * |
|
103 |
- * @param hash The subject to be freed. |
|
104 |
- */ |
|
105 |
-void x509_free_sha1_hash (unsigned char *hash); |
|
97 |
+unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert, struct gc_arena *gc); |
|
106 | 98 |
|
107 | 99 |
/* |
108 | 100 |
* Retrieve the certificate's username from the specified field. |
... | ... |
@@ -49,7 +49,6 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) |
49 | 49 |
struct tls_session *session; |
50 | 50 |
SSL *ssl; |
51 | 51 |
struct gc_arena gc = gc_new(); |
52 |
- unsigned char *sha1_hash = NULL; |
|
53 | 52 |
|
54 | 53 |
/* get the tls_session pointer */ |
55 | 54 |
ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
... | ... |
@@ -57,9 +56,8 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) |
57 | 57 |
session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index); |
58 | 58 |
ASSERT (session); |
59 | 59 |
|
60 |
- sha1_hash = x509_get_sha1_hash(ctx->current_cert); |
|
61 |
- cert_hash_remember (session, ctx->error_depth, sha1_hash); |
|
62 |
- x509_free_sha1_hash(sha1_hash); |
|
60 |
+ cert_hash_remember (session, ctx->error_depth, |
|
61 |
+ x509_get_sha1_hash(ctx->current_cert, &gc)); |
|
63 | 62 |
|
64 | 63 |
/* did peer present cert which was signed by our root cert? */ |
65 | 64 |
if (!preverify_ok) |
... | ... |
@@ -238,20 +236,13 @@ x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
238 | 238 |
} |
239 | 239 |
|
240 | 240 |
unsigned char * |
241 |
-x509_get_sha1_hash (X509 *cert) |
|
241 |
+x509_get_sha1_hash (X509 *cert, struct gc_arena *gc) |
|
242 | 242 |
{ |
243 |
- char *hash = malloc(SHA_DIGEST_LENGTH); |
|
243 |
+ char *hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc); |
|
244 | 244 |
memcpy(hash, cert->sha1_hash, SHA_DIGEST_LENGTH); |
245 | 245 |
return hash; |
246 | 246 |
} |
247 | 247 |
|
248 |
-void |
|
249 |
-x509_free_sha1_hash (unsigned char *hash) |
|
250 |
-{ |
|
251 |
- if (hash) |
|
252 |
- free(hash); |
|
253 |
-} |
|
254 |
- |
|
255 | 248 |
char * |
256 | 249 |
x509_get_subject (X509 *cert, struct gc_arena *gc) |
257 | 250 |
{ |
... | ... |
@@ -48,7 +48,6 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth, |
48 | 48 |
{ |
49 | 49 |
struct tls_session *session = (struct tls_session *) session_obj; |
50 | 50 |
struct gc_arena gc = gc_new(); |
51 |
- unsigned char *sha1_hash = NULL; |
|
52 | 51 |
|
53 | 52 |
ASSERT (cert); |
54 | 53 |
ASSERT (session); |
... | ... |
@@ -56,9 +55,7 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth, |
56 | 56 |
session->verified = false; |
57 | 57 |
|
58 | 58 |
/* Remember certificate hash */ |
59 |
- sha1_hash = x509_get_sha1_hash(cert); |
|
60 |
- cert_hash_remember (session, cert_depth, sha1_hash); |
|
61 |
- x509_free_sha1_hash(sha1_hash); |
|
59 |
+ cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc)); |
|
62 | 60 |
|
63 | 61 |
/* did peer present cert which was signed by our root cert? */ |
64 | 62 |
if (!preverify_ok) |
... | ... |
@@ -141,20 +138,13 @@ x509_get_serial (x509_cert *cert, struct gc_arena *gc) |
141 | 141 |
} |
142 | 142 |
|
143 | 143 |
unsigned char * |
144 |
-x509_get_sha1_hash (x509_cert *cert) |
|
144 |
+x509_get_sha1_hash (x509_cert *cert, struct gc_arena *gc) |
|
145 | 145 |
{ |
146 |
- unsigned char *sha1_hash = malloc(SHA_DIGEST_LENGTH); |
|
146 |
+ unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc); |
|
147 | 147 |
sha1(cert->tbs.p, cert->tbs.len, sha1_hash); |
148 | 148 |
return sha1_hash; |
149 | 149 |
} |
150 | 150 |
|
151 |
-void |
|
152 |
-x509_free_sha1_hash (unsigned char *hash) |
|
153 |
-{ |
|
154 |
- if (hash) |
|
155 |
- free(hash); |
|
156 |
-} |
|
157 |
- |
|
158 | 151 |
char * |
159 | 152 |
x509_get_subject(x509_cert *cert, struct gc_arena *gc) |
160 | 153 |
{ |
... | ... |
@@ -173,7 +163,6 @@ x509_get_subject(x509_cert *cert, struct gc_arena *gc) |
173 | 173 |
return subject; |
174 | 174 |
} |
175 | 175 |
|
176 |
- |
|
177 | 176 |
/* |
178 | 177 |
* Save X509 fields to environment, using the naming convention: |
179 | 178 |
* |