If keyUsage was only required to be present, but no specific value was
required, we would omit to free the extracted string. This happens as of
2.4.1, if --remote-cert-tls is used. In that case we leak a bit of
memory on each TLS (re)negotiation.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
Changes.rst | 9 +++++++++
src/openvpn/ssl_verify_openssl.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/Changes.rst b/Changes.rst
index c1583b3..3dba7e0 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -318,3 +318,12 @@ Version 2.4.1
``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage
extension instead. Make sure your certificates carry these to be able to
use ``--remote-cert-tls``.
+
+
+Version 2.4.2
+=============
+
+Bugfixes
+--------
+- Fix memory leak introduced in 2.4.1: if --remote-cert-tls is used, we leaked
+ some memory on each TLS (re)negotiation.
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 54eadbd..337729c 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -599,6 +599,7 @@ x509_verify_cert_ku(X509 *x509, const unsigned *const
expected_ku,
if (expected_ku[0] == OPENVPN_KU_REQUIRED)
{
/* Extension required, value checked by TLS library */
+ ASN1_BIT_STRING_free(ku);
return SUCCESS;
}
--
2.7.4
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
