[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Sun Oct 18 13:37:14 UTC 2015 

The branch master has been updated
       via  76e0cd12f68f0b8173bc71ee6e9ad3ca453d5a28 (commit)
       via  bb7fc98c43e29b9169522f6e25aa5988ce931c6c (commit)
      from  7f3e6f8c243710b8dc89f385196987ad83c7848d (commit)


- Log -----------------------------------------------------------------
commit 76e0cd12f68f0b8173bc71ee6e9ad3ca453d5a28
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sun Oct 18 00:16:23 2015 +0100

    Move auto Host adding to query_responder
    
    Check for Host header in query_responder instead of process_responder. This
    also fixes a memory leak in the old code if the headers was NULL.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit bb7fc98c43e29b9169522f6e25aa5988ce931c6c
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sun Oct 18 00:04:10 2015 +0100

    Fix memory leak with -issuer option.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/ocsp.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 0f8ddcc..2ef4278 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -118,7 +118,8 @@ static BIO *init_responder(const char *port);
 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
                         const char *port);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
-static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path,
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
+                                      const char *path,
                                       const STACK_OF(CONF_VALUE) *headers,
                                       OCSP_REQUEST *req, int req_timeout);
 
@@ -404,13 +405,14 @@ int ocsp_main(int argc, char **argv)
             path = opt_arg();
             break;
         case OPT_ISSUER:
-            X509_free(issuer);
             issuer = load_cert(opt_arg(), FORMAT_PEM,
                                NULL, NULL, "issuer certificate");
             if (issuer == NULL)
                 goto end;
-            if ((issuers = sk_X509_new_null()) == NULL)
-                goto end;
+            if (issuers == NULL) {
+                if ((issuers = sk_X509_new_null()) == NULL)
+                    goto end;
+            }
             sk_X509_push(issuers, issuer);
             break;
         case OPT_CERT:
@@ -750,6 +752,7 @@ int ocsp_main(int argc, char **argv)
     EVP_PKEY_free(key);
     EVP_PKEY_free(rkey);
     X509_free(cert);
+    sk_X509_pop_free(issuers, X509_free);
     X509_free(rsigner);
     X509_free(rca_cert);
     free_index(rdb);
@@ -1175,13 +1178,15 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
     return 1;
 }
 
-static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path,
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
+                                      const char *path,
                                       const STACK_OF(CONF_VALUE) *headers,
                                       OCSP_REQUEST *req, int req_timeout)
 {
     int fd;
     int rv;
     int i;
+    int add_host = 1;
     OCSP_REQ_CTX *ctx = NULL;
     OCSP_RESPONSE *rsp = NULL;
     fd_set confds;
@@ -1220,10 +1225,15 @@ static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path,
 
     for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
         CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
+        if (add_host == 1 && strcasecmp("host", hdr->name) == 0)
+            add_host = 0;
         if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
             goto err;
     }
 
+    if (add_host == 1 && OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0)
+        goto err;
+
     if (!OCSP_REQ_CTX_set1_req(ctx, req))
         goto err;
 
@@ -1270,7 +1280,6 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
     BIO *cbio = NULL;
     SSL_CTX *ctx = NULL;
     OCSP_RESPONSE *resp = NULL;
-    int found, i;
 
     cbio = BIO_new_connect(host);
     if (!cbio) {
@@ -1290,18 +1299,8 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
         sbio = BIO_new_ssl(ctx, 1);
         cbio = BIO_push(sbio, cbio);
     }
-    for (found = i = 0; i < sk_CONF_VALUE_num(headers); i++) {
-       CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
-       if (strcasecmp("host", hdr->name) == 0) {
-           found = 1;
-           break;
-       }
-    }
-
-    if (!found && !X509V3_add_value("Host", host, &headers))
-        BIO_printf(bio_err, "Error setting HTTP Host header\n");
 
-    resp = query_responder(cbio, path, headers, req, req_timeout);
+    resp = query_responder(cbio, host, path, headers, req, req_timeout);
     if (!resp)
         BIO_printf(bio_err, "Error querying OCSP responder\n");
  end:

More information about the openssl-commits mailing list