Re: [Openvpn-devel] [PATCH] Fix memory leak in x509_verify_cert_ku()

Mon, 08 May 2017 08:38:53 -0700 

Hi,

On 08-05-17 16:54, David Sommerseth wrote:
> On 07/05/17 13:01, Steffan Karger wrote:
> --------------------------------------------------------------------
> result_t
> x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku,
>                     int expected_len)
> {
>     ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage,
>                                            NULL, NULL);
> 
>     if (ku == NULL)
>     {
>         msg(D_TLS_ERRORS, "Certificate does not have key "
>                            "usage extension");
>         return FAILURE;
>     }
> 
>     if (expected_ku[0] == OPENVPN_KU_REQUIRED)
>     {
>         /* Extension required, value checked by TLS library */
>         ASN1_BIT_STRING_free(ku);   /** new line **/
>         return SUCCESS;
>     }
> 
>     unsigned nku = 0;
>     for (size_t i = 0; i < 8; i++)
> --------------------------------------------------------------------
> 
> Wouldn't it make more sense to rather move the
> `if (expected_ku[0] == OPENVPN_KU_REQUIRED)` block above the
> `ASN1_BIT_STRING *ku` declaration?   Like this:
> 
> 
> --------------------------------------------------------------------
> result_t
> x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku,
>                     int expected_len)
> {
>     if (expected_ku[0] == OPENVPN_KU_REQUIRED)
>     {
>         /* Extension required, value checked by TLS library */
>         return SUCCESS;
>     }
> 
>     ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage,
>                                            NULL, NULL);
>     if (ku == NULL)
>     {
>         msg(D_TLS_ERRORS, "Certificate does not have key "
>                            "usage extension");
>         return FAILURE;
>     }
> 
>     unsigned nku = 0;
>     for (size_t i = 0; i < 8; i++)
> --------------------------------------------------------------------
> 
> Or is the implicit check that ku != NULL important when checking
> OPENVPN_KU_REQUIRED ?

Exactly.  OPENVPN_KU_REQUIRED means that we need *some* ku, so we need
to first get ku, and error out if it's NULL.  At the location in my
patch, we know that it's non-null, so it's good.

-Steffan

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to