ref: d5b37dc479986f53d24f480e739eaf49170ac23f
parent: 27c94cd34892ffd8443bfb596e69704624b30595
author: igor <igor@mux>
date: Tue Jan 23 18:38:26 EST 2024
Free heap allocated default certificate if SNI override is found (@igor)
--- a/tlshand.c
+++ b/tlshand.c
@@ -354,7 +354,7 @@
};
static TlsConnection *tlsServer2(int ctl, int hand,
- uchar *cert, int certlen,
+ uchar **cert, int certlen,
char *pskid, uchar *psk, int psklen,
int (*trace)(char*fmt, ...), PEMChain *chain);
static TlsConnection *tlsClient2(int ctl, int hand,
@@ -455,7 +455,7 @@
data = -1;
fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
tls = tlsServer2(ctl, hand,
- conn->cert, conn->certlen,
+ &(conn->cert), conn->certlen,
conn->pskID, conn->psk, conn->psklen,
conn->trace, conn->chain);
if(tls != nil){@@ -697,7 +697,7 @@
static TlsConnection *
tlsServer2(int ctl, int hand,
- uchar *cert, int certlen,
+ uchar **cert, int certlen,
char *pskid, uchar *psk, int psklen,
int (*trace)(char*fmt, ...), PEMChain *chp)
{@@ -755,12 +755,13 @@
trace("ClientHello server name indicator %s using %s\n", c->serverName, path);PEMChain *chain = readcertchain(path);
if (chain){- cert = chain->pem;
+ free(*cert);
+ *cert = chain->pem;
certlen = chain->pemlen;
}
}
/* server certificate */
- c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
+ c->sec->rsapub = X509toRSApub(*cert, certlen, nil, 0);
if(c->sec->rsapub == nil){tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
goto Err;
@@ -799,7 +800,7 @@
numcerts = countchain(chp);
m.u.certificate.ncert = 1 + numcerts;
m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
- m.u.certificate.certs[0] = makebytes(cert, certlen);
+ m.u.certificate.certs[0] = makebytes(*cert, certlen);
for (i = 0; i < numcerts && chp; i++, chp = chp->next)
m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
if(!msgSend(c, &m, AQueue))