X509 certificate verification ?

Tue, 27 Dec 2005 01:16:25 -0800

Hi All,
 
I am using rsj_verify_x509cert() for X509 certificate verification against a CA. This function is derived from eay_verify_x509cert() from ipsec-tools.5.2 rsj_verify_x509cert() takes memory pointer for cert and CA cert instead of directory in eay_check_x509cert(). But i am experiencing a memory leak of 2-3KB on each call of function. Can anyone give a hint what i m missing ?
 

/*
 * this function will verify a cert, given CA cert & crl from MEMORY.
 * this functions is derived from eay_check_x509cert().
 */
int rsj_check_x509cert(vchar_t *cert, vchar_t *cacert, vchar_t *cacrl, int local)
{
 X509_STORE *cert_ctx = NULL;
 X509_LOOKUP *lookup = NULL;
 X509 *x509 = NULL, *ca_x509=NULL;
 X509_CRL *caCRL = NULL;
 X509_STORE_CTX *csc;
 int error = -1;
 
 cert_ctx = X509_STORE_new();
 
 if (!cert_ctx)
  goto end;

 if (local)
  X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local);
 else
  X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote);

 /* read CA cert from memory(.pem format) */
 ca_x509 = mem2x509_s(cacert);
 
 if (!ca_x509)
  {
   printf("[ERROR] : rsj_check_x509cert() :unable to get CA x509 from memory.\n");
   goto end;
  }

 
 /* load CA cert in cert context  */
 if( (error = X509_STORE_add_cert(cert_ctx, ca_x509)) != 1)
  goto end;

 /* load crl if provided, CRL is optional */
 if(cacrl)
  {
   /* read CA CRL from memory(.pem format) */
   caCRL = mem2x509crl_bio(cacrl);
   if (!caCRL)
    {
     printf("[ERROR] : rsj_check_x509cert() :unable to get CA x509 CRL from memory.\n");
     goto end;
    }
   /* load CA crl in cert context  */
   if( (error = X509_STORE_add_crl(cert_ctx, caCRL)) != 1)
    goto end;
  }

 
 /* read the certificate to be verified */
 x509 = mem2x509(cert);
 if (!x509)
  {
   printf("[[ERROR] : rsj_check_x509cert() :unable to get x509 cert from memory.\n");
   goto end;
  }
 
 /*  This is done to read cert */
 OpenSSL_add_all_digests();
 
 csc = X509_STORE_CTX_new();
 if (!csc)
  goto end;
 
 if( ( error = X509_STORE_CTX_init(csc, cert_ctx, x509, NULL)) != 1)
  goto end;
 
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
 X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
 X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
#endif
 error = -1; /* initialized */
 error = X509_verify_cert(csc);
 X509_STORE_CTX_cleanup(csc);

 /*
  * if x509_verify_cert() is successful then the value of error is
  * set non-zero.
  */
 
 error = error ? 0 : -1;

end:
 if (error)
  printf("\n [ERROR] : rsj_verify_x509cert() :%s\n", eay_strerror());
 if (cert_ctx)
  {   
   X509_STORE_free(cert_ctx);
  }
 if (x509)
  {
   X509_free(x509);
  }
 if (ca_x509)
  {
   X509_free(ca_x509);
  }
 if (caCRL)
  {
   X509_CRL_free(caCRL);
  }
 return(error);
}

Regards,

RSJ

Reply via email to