Merge changes from topic "certtool-memleak" into integration

* changes:
  Use preallocated parts of the HASH struct
  Free arguments copied with strdup
  Free keys after use
  Free X509_EXTENSIONs

2 files changed, 50 insertions, 26 deletions

diff --git a/tools/cert_create/src/ext.c b/tools/cert_create/src/ext.c
index d9a92bb10..65dd3e583 100644
--- a/tools/cert_create/src/ext.c
+++ b/tools/cert_create/src/ext.c
@@ -158,51 +158,36 @@ X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
 		unsigned char *buf, size_t len)
 {
 	X509_EXTENSION *ex;
-	ASN1_OCTET_STRING *octet;
 	HASH *hash;
 	ASN1_OBJECT *algorithm;
-	X509_ALGOR *x509_algor;
 	unsigned char *p = NULL;
 	int sz;
 
+	/* HASH structure containing algorithm + hash */
+	hash = HASH_new();
+	if (hash == NULL) {
+		return NULL;
+	}
+
 	/* OBJECT_IDENTIFIER with hash algorithm */
 	algorithm = OBJ_nid2obj(EVP_MD_type(md));
 	if (algorithm == NULL) {
+		HASH_free(hash);
 		return NULL;
 	}
 
 	/* Create X509_ALGOR */
-	x509_algor = X509_ALGOR_new();
-	if (x509_algor == NULL) {
-		return NULL;
-	}
-	x509_algor->algorithm = algorithm;
-	x509_algor->parameter = ASN1_TYPE_new();
-	ASN1_TYPE_set(x509_algor->parameter, V_ASN1_NULL, NULL);
+	hash->hashAlgorithm->algorithm = algorithm;
+	hash->hashAlgorithm->parameter = ASN1_TYPE_new();
+	ASN1_TYPE_set(hash->hashAlgorithm->parameter, V_ASN1_NULL, NULL);
 
 	/* OCTET_STRING with the actual hash */
-	octet = ASN1_OCTET_STRING_new();
-	if (octet == NULL) {
-		X509_ALGOR_free(x509_algor);
-		return NULL;
-	}
-	ASN1_OCTET_STRING_set(octet, buf, len);
-
-	/* HASH structure containing algorithm + hash */
-	hash = HASH_new();
-	if (hash == NULL) {
-		ASN1_OCTET_STRING_free(octet);
-		X509_ALGOR_free(x509_algor);
-		return NULL;
-	}
-	hash->hashAlgorithm = x509_algor;
-	hash->dataHash = octet;
+	ASN1_OCTET_STRING_set(hash->dataHash, buf, len);
 
 	/* DER encoded HASH */
 	sz = i2d_HASH(hash, &p);
 	if ((sz <= 0) || (p == NULL)) {
 		HASH_free(hash);
-		X509_ALGOR_free(x509_algor);
 		return NULL;
 	}
 
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index 2ba110132..d5abe4917 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -539,6 +539,11 @@ int main(int argc, char *argv[])
 			exit(1);
 		}
 
+		for (cert_ext = sk_X509_EXTENSION_pop(sk); cert_ext != NULL;
+				cert_ext = sk_X509_EXTENSION_pop(sk)) {
+			X509_EXTENSION_free(cert_ext);
+		}
+
 		sk_X509_EXTENSION_free(sk);
 	}
 
@@ -576,10 +581,44 @@ int main(int argc, char *argv[])
 		}
 	}
 
+	/* If we got here, then we must have filled the key array completely.
+	 * We can then safely call free on all of the keys in the array
+	 */
+	for (i = 0; i < num_keys; i++) {
+		EVP_PKEY_free(keys[i].key);
+	}
+
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
 #endif
 	CRYPTO_cleanup_all_ex_data();
 
+
+	/* We allocated strings through strdup, so now we have to free them */
+	for (i = 0; i < num_keys; i++) {
+		if (keys[i].fn != NULL) {
+			void *ptr = keys[i].fn;
+
+			keys[i].fn = NULL;
+			free(ptr);
+		}
+	}
+	for (i = 0; i < num_extensions; i++) {
+		if (extensions[i].arg != NULL) {
+			void *ptr = (void *)extensions[i].arg;
+
+			extensions[i].arg = NULL;
+			free(ptr);
+		}
+	}
+	for (i = 0; i < num_certs; i++) {
+		if (certs[i].fn != NULL) {
+			void *ptr = (void *)certs[i].fn;
+
+			certs[i].fn = NULL;
+			free(ptr);
+		}
+	}
+
 	return 0;
 }