From: William A. Rowe Jr Date: Tue, 29 Oct 2002 03:52:22 +0000 (+0000) Subject: Close several small leaks in SSL. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6d52375325936f4f3dfcdd06f487c6ac27f5867d;p=apache Close several small leaks in SSL. Submitted by: Zvi Har'El Reviewed by: Madhusudan Mathihalli git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97340 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 0365adfb3a..93b1fd3a71 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -531,6 +531,7 @@ int ssl_hook_process_connection(SSLFilterRec *filter) if ((cert = SSL_get_peer_certificate(filter->pssl))) { sslconn->client_cert = cert; sslconn->client_dn = NULL; + X509_free(cert); } /* diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 716b458ded..23431abbd2 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -545,9 +545,10 @@ int ssl_hook_Access(request_rec *r) if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) && (verify_old == SSL_VERIFY_NONE) && - SSL_get_peer_certificate(ssl)) + ((cert = SSL_get_peer_certificate(ssl)) != NULL)) { renegotiate_quick = TRUE; + X509_free(cert); } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, @@ -817,6 +818,7 @@ int ssl_hook_Access(request_rec *r) if ((cert = SSL_get_peer_certificate(ssl))) { sslconn->client_cert = cert; sslconn->client_dn = NULL; + X509_free(cert); } /* @@ -833,7 +835,8 @@ int ssl_hook_Access(request_rec *r) return HTTP_FORBIDDEN; } - if (do_verify && !SSL_get_peer_certificate(ssl)) { + if (do_verify && + ((cert = SSL_get_peer_certificate(ssl)) == NULL)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "Re-negotiation handshake failed: " "Client certificate missing"); @@ -1399,6 +1402,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) X509_NAME *subject, *issuer; X509 *cert; X509_CRL *crl; + EVP_PKEY *pubkey; int i, n, rc; /* @@ -1485,16 +1489,22 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) /* * Verify the signature on this CRL */ - if (X509_CRL_verify(crl, X509_get_pubkey(cert)) <= 0) { + pubkey = X509_get_pubkey(cert); + if (X509_CRL_verify(crl, pubkey) <= 0) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "Invalid signature on CRL"); X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); X509_OBJECT_free_contents(&obj); + if (pubkey) + EVP_PKEY_free(pubkey); return FALSE; } + if (pubkey) + EVP_PKEY_free(pubkey); + /* * Check date of CRL to make sure it's not expired */ diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 2ac285118d..2ef216fd6c 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -296,8 +296,10 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var) result = ssl_var_lookup_ssl_cert_verify(p, c); } else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) { - if ((xs = SSL_get_peer_certificate(ssl)) != NULL) + if ((xs = SSL_get_peer_certificate(ssl)) != NULL) { result = ssl_var_lookup_ssl_cert(p, xs, var+7); + X509_free(xs); + } } else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) { if ((xs = SSL_get_certificate(ssl)) != NULL) @@ -536,6 +538,9 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c) else /* client verification failed */ result = apr_psprintf(p, "FAILED:%s", verr); + + if (xs) + X509_free(xs); return result; }