Free the certificate after checking in checkCertName (#17558) [backport:1.2]

* Fix small leak in checkCertName * Size is not needed either * Free the certificate after checking (cherry picked from commit b36182b0a4)
2026-04-19 22:10:33 +00:00 · 2021-03-29 11:49:19 +03:00
parent 28b301cbaa
commit f7f7a02915
2 changed files with 6 additions and 3 deletions
--- a/lib/pure/net.nim
+++ b/lib/pure/net.nim
@@ -769,10 +769,11 @@ when defineSsl:
        raiseSSLError("No SSL certificate found.")

      const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = 0x1.cuint
-      const size = 1024
-      var peername: string = newString(size)
+      # https://www.openssl.org/docs/man1.1.1/man3/X509_check_host.html
      let match = certificate.X509_check_host(hostname.cstring, hostname.len.cint,
-        X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, peername)
+        X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, nil)
+      # https://www.openssl.org/docs/man1.1.1/man3/SSL_get_peer_certificate.html
+      X509_free(certificate)
      if match != 1:
        raiseSSLError("SSL Certificate check failed.")

--- a/lib/wrappers/openssl.nim
+++ b/lib/wrappers/openssl.nim
@@ -809,6 +809,8 @@ when not defined(nimDisableCertificateValidation) and not defined(windows):

  proc X509_check_host*(cert: PX509, name: cstring, namelen: cint, flags:cuint, peername: cstring): cint {.cdecl, dynlib: DLLSSLName, importc.}

+  proc X509_free*(cert: PX509) {.cdecl, dynlib: DLLSSLName, importc.}
+
  # Certificates store

  type PX509_STORE* = SslPtr