Changeset 02eabe7 in mod_gnutls


Ignore:
Timestamp:
Jun 16, 2016, 2:28:40 PM (18 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
b8700b0
Parents:
f265001
git-author:
Thomas Klute <thomas2.klute@…> (06/16/16 14:12:35)
git-committer:
Thomas Klute <thomas2.klute@…> (06/16/16 14:28:40)
Message:

TLS Proxy: Fix memory leak while logging certificate status

The output buffer for gnutls_certificate_verification_status_print()
was not released correctly. Leak discovered using Valgrind.

Additionally gnutls_certificate_verification_status_print() is now
only used in case of verification failure, otherwise a static message
is sufficient. This should be a (very minor) performance improvement.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    rf265001 r02eabe7  
    17941794    }
    17951795
    1796     gnutls_datum_t * out = gnutls_malloc(sizeof(gnutls_datum_t));
    1797     /* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy certs
    1798      * 0: according to function API, the last argument should be 0 */
    1799     err = gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509,
    1800                                                        out, 0);
    1801     if (err != GNUTLS_E_SUCCESS)
     1796    if (status == 0)
    18021797        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
    1803                       "%s: server verify print failed: %s (%d)",
    1804                       __func__, gnutls_strerror(err), err);
     1798                      "%s: server certificate is trusted.",
     1799                      __func__);
    18051800    else
    18061801    {
    1807         /* If the certificate is trusted, logging the result is just
    1808          * nice for debugging. But if the back end server provided an
    1809          * untrusted certificate, warn! */
    1810         int level = (status == 0 ? APLOG_DEBUG : APLOG_WARNING);
    1811         ap_log_cerror(APLOG_MARK, level, 0, ctxt->c,
    1812                       "%s: server certificate verify result: %s",
    1813                       __func__, out->data);
    1814     }
    1815 
    1816     gnutls_free(out);
     1802        gnutls_datum_t out;
     1803        /* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy
     1804         * certs 0: according to function API, the last argument
     1805         * should be 0 */
     1806        err = gnutls_certificate_verification_status_print(status,
     1807                                                           GNUTLS_CRT_X509,
     1808                                                           &out, 0);
     1809        if (err != GNUTLS_E_SUCCESS)
     1810            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, ctxt->c,
     1811                          "%s: server verify print failed: %s (%d)",
     1812                          __func__, gnutls_strerror(err), err);
     1813        else
     1814            ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
     1815                          "%s: %s",
     1816                          __func__, out.data);
     1817        gnutls_free(out.data);
     1818    }
     1819
    18171820    return status;
    18181821}
Note: See TracChangeset for help on using the changeset viewer.