diff options
| author | Danil Yarantsev <tiberiumk12@gmail.com> | 2021-03-29 11:49:19 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-29 10:49:19 +0200 |
| commit | b36182b0a4ca13d90c1a19de5b9945289c4f25fd (patch) | |
| tree | 55e7eef16dbabe07634c6ffc32b9fd1186d32f3b | |
| parent | e5be216ccbf1e3453e0076f2f260ddda85a5f27a (diff) | |
| download | Nim-b36182b0a4ca13d90c1a19de5b9945289c4f25fd.tar.gz | |
Free the certificate after checking in `checkCertName` (#17558) [backport:1.2]
* Fix small leak in checkCertName * Size is not needed either * Free the certificate after checking
| -rw-r--r-- | lib/pure/net.nim | 7 | ||||
| -rw-r--r-- | lib/wrappers/openssl.nim | 2 |
2 files changed, 6 insertions, 3 deletions
diff --git a/lib/pure/net.nim b/lib/pure/net.nim index b37782271..bb1a14cfd 100644 --- a/lib/pure/net.nim +++ b/lib/pure/net.nim @@ -770,10 +770,11 @@ when defineSsl: raiseSSLError("No SSL certificate found.") const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = 0x1.cuint - const size = 1024 - var peername: string = newString(size) + # https://www.openssl.org/docs/man1.1.1/man3/X509_check_host.html let match = certificate.X509_check_host(hostname.cstring, hostname.len.cint, - X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, peername) + X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, nil) + # https://www.openssl.org/docs/man1.1.1/man3/SSL_get_peer_certificate.html + X509_free(certificate) if match != 1: raiseSSLError("SSL Certificate check failed.") diff --git a/lib/wrappers/openssl.nim b/lib/wrappers/openssl.nim index 313ce7d19..ec4740bab 100644 --- a/lib/wrappers/openssl.nim +++ b/lib/wrappers/openssl.nim @@ -809,6 +809,8 @@ when not defined(nimDisableCertificateValidation) and not defined(windows): proc X509_check_host*(cert: PX509, name: cstring, namelen: cint, flags:cuint, peername: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.} + proc X509_free*(cert: PX509) {.cdecl, dynlib: DLLSSLName, importc.} + # Certificates store type PX509_STORE* = SslPtr |