[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[minion-cvs] Don"t leak certificates when verifying.

To: mixminion-cvs@freehaven.net
Subject: [minion-cvs] Don"t leak certificates when verifying.
From: nickm@seul.org (Nick Mathewson)
Date: Tue, 3 Jun 2003 12:31:08 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: mixminion-cvs-outgoing@seul.org
Delivered-to: mixminion-cvs@seul.org
Delivery-date: Tue, 03 Jun 2003 12:31:27 -0400
Reply-to: mixminion-dev@freehaven.net
Sender: owner-mixminion-cvs@freehaven.net

Update of /home/minion/cvsroot/src/minion/src
In directory moria.mit.edu:/tmp/cvs-serv1287/src

Modified Files:
	tls.c 
Log Message:
Don't leak certificates when verifying.


Index: tls.c
===================================================================
RCS file: /home/minion/cvsroot/src/minion/src/tls.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -d -r1.22 -r1.23
--- tls.c	17 May 2003 00:08:46 -0000	1.22
+++ tls.c	3 Jun 2003 16:31:05 -0000	1.23
@@ -587,14 +587,20 @@
         now = time(NULL);
         if (X509_cmp_time(X509_get_notBefore(cert), &now) > 0) {
                 MM_TLS_ERR("Certificate is not yet valid");
-                return NULL;
+                goto error;
         }
         if (X509_cmp_time(X509_get_notAfter(cert), &now) < 0) {
                 MM_TLS_ERR("Certificate has expired");
-                return NULL;
+                goto error;
         }
+        
+        X509_free(cert);
+        
         Py_INCREF(Py_None);
         return Py_None;
+ error:
+        X509_free(cert);
+        return NULL;
 }
 
 
@@ -626,14 +632,14 @@
 
         ssl = ((mm_TLSSock*)self)->ssl;
         if (!(chain = SSL_get_peer_cert_chain(ssl))) {
-                mm_SSL_ERR(0); return NULL;
+                mm_SSL_ERR(0); goto error;
         }
         if (!(cert = SSL_get_peer_certificate(ssl))) {
-                mm_SSL_ERR(0); return NULL;
+                mm_SSL_ERR(0); goto error;
         }
         if (sk_X509_num(chain) != 2) {
                 MM_TLS_ERR("Wrong number of certificates in peer chain.");
-                return NULL;
+                goto error;
         }
         for (i = 0; i < 2; ++i) {
                 id_cert = sk_X509_value(chain, i);
@@ -643,14 +649,14 @@
         }
         if (!id_cert) {
                 MM_TLS_ERR("No distinct identity certificate found.");
-                return NULL;
+                goto error;
         }
         if (!(pkey = X509_get_pubkey(id_cert))) {
-                mm_SSL_ERR(0); return NULL;
+                mm_SSL_ERR(0); goto error;
         }
         /* Is the signature correct? */
         if (X509_verify(cert, pkey) <= 0) {
-                EVP_PKEY_free(pkey); mm_SSL_ERR(0); return NULL;
+                EVP_PKEY_free(pkey); mm_SSL_ERR(0); goto error;
         }
         rsa = EVP_PKEY_get1_RSA(pkey);
         EVP_PKEY_free(pkey);
@@ -658,11 +664,17 @@
                 mm_SSL_ERR(0); return NULL;
         }
         if (!(result = PyObject_New(mm_RSA, &mm_RSA_Type))) {
-                RSA_free(rsa); PyErr_NoMemory(); return NULL;
+                RSA_free(rsa); PyErr_NoMemory(); goto error;
         }
         result->rsa = rsa;
 
+        X509_free(cert);
+
         return (PyObject*) result;
+ error:
+        if (cert)
+                X509_free(cert);
+        return NULL;
 }
 
 static char mm_TLSSock_renegotiate__doc__[] =

Prev by Author: [minion-cvs] Be more more aggressive about killing cycles in server ...
Next by Author: [minion-cvs] More anti-leak work.
Previous by thread: [minion-cvs] Be more more aggressive about killing cycles in server ...
Next by thread: [minion-cvs] More anti-leak work.
Index(es):
- Author
- Thread