Fix various memory leaks in SSL, apps and DSA

a8236c8c · Dr. Stephen Henson · 1750ebcb · a8236c8c · a8236c8c · a8236c8c
11 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -5,9 +5,15 @@

 Changes between 0.9.1c and 0.9.2

+  *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory
+     leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes
+     in apps/ and an unrellated leak in crypto/dsa/dsa_vrf.c
+     [Steve Henson]
+
  *) Support for RAW extensions where an arbitrary extension can be
     created by including its DER encoding. See apps/openssl.cnf for
     an example.
+     [Steve Henson]

  *) Make sure latest Perl versions don't interpret some generated C array
     code as Perl array code in the crypto/err/err_genc.pl script.

--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -156,9 +156,13 @@ char *key_file;
 		ssl=SSL_new(ctx);
 		x509=SSL_get_certificate(ssl);

-		if (x509 != NULL)
-			EVP_PKEY_copy_parameters(X509_get_pubkey(x509),
-				SSL_get_privatekey(ssl));
+		if (x509 != NULL) {
+			EVP_PKEY *pktmp;
+			pktmp = X509_get_pubkey(x509);
+			EVP_PKEY_copy_parameters(pktmp,
+						SSL_get_privatekey(ssl));
+			EVP_PKEY_free(pktmp);
+		}
 		SSL_free(ssl);
 		*/


--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -743,9 +743,13 @@ int full;
 	BIO_printf(bio,"%s, Cipher is %s\n",
 		SSL_CIPHER_get_version(c),
 		SSL_CIPHER_get_name(c));
-	if (peer != NULL)
+	if (peer != NULL) {
+		EVP_PKEY *pktmp;
+		pktmp = X509_get_pubkey(peer);
 		BIO_printf(bio,"Server public key is %d bit\n",
-			EVP_PKEY_bits(X509_get_pubkey(peer)));
+							 EVP_PKEY_bits(pktmp));
+		EVP_PKEY_free(pktmp);
+	}
 	SSL_SESSION_print(bio,SSL_get_session(s));
 	BIO_printf(bio,"---\n");
 	if (peer != NULL)

--- a/apps/sc.c
+++ b/apps/sc.c
@@ -770,8 +770,12 @@ int full;
 		SSL_CIPHER_get_version(c),
 		SSL_CIPHER_get_name(c));
 	if (peer != NULL)
+	{
+		EVP_PKEY *pktmp;
 		BIO_printf(bio,"Server public key is %d bit\n",
-			EVP_PKEY_bits(X509_get_pubkey(peer)));
+							EVP_PKEY_bits(pktmp));
+		EVP_PKEY_free(pktmp);
+	}
 	SSL_SESSION_print(bio,SSL_get_session(s));
 	BIO_printf(bio,"---\n");
 	if (peer != NULL)

--- a/crypto/dsa/dsa_vrf.c
+++ b/crypto/dsa/dsa_vrf.c
@@ -91,7 +91,6 @@ DSA *dsa;
 	int ret = -1;

 	if ((ctx=BN_CTX_new()) == NULL) goto err;
-	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;

 	BN_init(&u1);
 	BN_init(&u2);

--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -953,8 +953,9 @@ unsigned char *data;
 		goto err;
 	ret=1;
 err:
-	if (sk != NULL) sk_free(sk);
-	if (x509 != NULL) X509_free(x509);
+	sk_free(sk);
+	X509_free(x509);
+	EVP_PKEY_free(pkey);
 	return(ret);
 	}

@@ -985,6 +986,7 @@ int padding;
 	if (i < 0)
 		SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,ERR_R_RSA_LIB);
 end:
+	EVP_PKEY_free(pkey);
 	return(i);
 	}

--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -910,6 +910,7 @@ SSL *s;
 		pkey=X509_get_pubkey(x509);
 		if (pkey == NULL) goto end;
 		i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey);
+		EVP_PKEY_free(pkey);
 		memset(&ctx,0,sizeof(ctx));

 		if (i) 
@@ -933,8 +934,8 @@ msg_end:
 		ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
 		}
 end:
-	if (sk != NULL) sk_free(sk);
-	if (x509 != NULL) X509_free(x509);
+	sk_free(sk);
+	X509_free(x509);
 	return(ret);
 	}


--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -404,6 +404,7 @@ EVP_PKEY *pkey;
 		ret= -1;

 err:
+	if(!pkey) EVP_PKEY_free(pk);
 	return(ret);
 	}


--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -814,8 +814,9 @@ f_err:
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
 		}
 err:
-	if (x != NULL) X509_free(x);
-	if (sk != NULL) sk_pop_free(sk,X509_free);
+	EVP_PKEY_free(pkey);
+	X509_free(x);
+	sk_pop_free(sk,X509_free);
 	return(ret);
 	}

@@ -1103,11 +1104,12 @@ SSL *s;
 			goto f_err;
 			}
 		}
-
+	EVP_PKEY_free(pkey);
 	return(1);
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
+	EVP_PKEY_free(pkey);
 	return(-1);
 	}

@@ -1622,6 +1624,7 @@ SSL *s;
 	idx=c->cert_type;
 	pkey=X509_get_pubkey(c->pkeys[idx].x509);
 	i=X509_certificate_type(c->pkeys[idx].x509,pkey);
+	EVP_PKEY_free(pkey);

 	
 	/* Check that we have a certificate if we require one */

--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1510,6 +1510,7 @@ f_err:
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
 		}
 end:
+	EVP_PKEY_free(pkey);
 	return(ret);
 	}


--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -229,8 +229,10 @@ EVP_PKEY *pkey;

 	if (c->pkeys[i].x509 != NULL)
 		{
-		EVP_PKEY_copy_parameters(
-			X509_get_pubkey(c->pkeys[i].x509),pkey);
+		EVP_PKEY *pktmp;
+		pktmp =	X509_get_pubkey(c->pkeys[i].x509);
+		EVP_PKEY_copy_parameters(pktmp,pkey);
+		EVP_PKEY_free(pktmp);
 		ERR_clear_error();

 #ifndef NO_RSA
@@ -503,6 +505,7 @@ X509 *x;
 	if (i < 0)
 		{
 		SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
+		EVP_PKEY_free(pkey);
 		return(0);
 		}

@@ -549,6 +552,7 @@ X509 *x;
 	else
 		ok=1;

+	EVP_PKEY_free(pkey);
 	if (bad)
 		{
 		EVP_PKEY_free(c->pkeys[i].privatekey);