From c28b7b59c32b42acc831c77da97917c0b0d6e7b7 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Tue, 30 Jun 2020 19:19:15 +0200
Subject: [PATCH] Fix jenkins leaks

---
 src/internal.c |  8 +++-----
 src/ssl.c      | 26 ++++----------------------
 tests/api.c    |  1 +
 wolfssl/ssl.h  |  3 ++-
 4 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index e9a888bb1..179e28aa8 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -1858,11 +1858,9 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
         }
     #endif
     #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
-        while (ctx->x509Chain != NULL) {
-            WOLFSSL_STACK *next = ctx->x509Chain->next;
-            wolfSSL_X509_free(ctx->x509Chain->data.x509);
-            XFREE(ctx->x509Chain, NULL, DYNAMIC_TYPE_OPENSSL);
-            ctx->x509Chain = next;
+        if (ctx->x509Chain) {
+            wolfSSL_sk_X509_free(ctx->x509Chain);
+            ctx->x509Chain = NULL;
         }
     #endif
 #endif /* !NO_CERTS */
diff --git a/src/ssl.c b/src/ssl.c
index 36b764a85..01ab2aea4 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -19310,7 +19310,7 @@ WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_dup(WOLFSSL_ASN1_OBJECT* obj)
             return NULL;
         }
         XMEMCPY((byte*)dup->obj, obj->obj, obj->objSz);
-        dup->dynamic = 1;
+        dup->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA;
     }
     return dup;
 }
@@ -23004,9 +23004,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
    counts increased */
 WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get1_chain(WOLFSSL_X509_STORE_CTX* ctx)
 {
-    unsigned long i;
     WOLFSSL_STACK* ref;
-    WOLFSSL_STACK* copy;
 
     if (ctx == NULL) {
         return NULL;
@@ -23019,23 +23017,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get1_chain(WOLFSSL_X509_STORE_CTX* ctx)
     }
 
     /* create duplicate of ctx chain */
-    copy = wolfSSL_sk_dup(ref);
-    if (copy == NULL) {
-        return NULL;
-    }
-
-    /* increase ref counts of inner data X509 */
-    ref = copy;
-    for (i = 0; i < copy->num && ref != NULL; i++) {
-        if (wc_LockMutex(&ref->data.x509->refMutex) != 0) {
-            WOLFSSL_MSG("Failed to lock x509 mutex");
-        }
-        ref->data.x509->refCount++;
-        wc_UnLockMutex(&ref->data.x509->refMutex);
-        ref = ref->next;
-    }
-
-    return copy;
+    return wolfSSL_sk_dup(ref);
 }
 
 
@@ -40678,10 +40660,10 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt)
         /* Free previous chain */
         wolfSSL_sk_X509_free(ctx->x509Chain);
         ctx->x509Chain = sk;
-        if (sk) {
+        if (sk && opt == 1) {
+            /* up all refs when opt == 1 */
             for (i = 0; i < wolfSSL_sk_X509_num(sk); i++) {
                 x509 = wolfSSL_sk_X509_value(sk, i);
-                /* On successful setting of new chain up all refs */
                 if (wolfSSL_X509_up_ref(x509) != 1) {
                     WOLFSSL_MSG("Error increasing reference count");
                     continue;
diff --git a/tests/api.c b/tests/api.c
index 98aee0052..73a81bd46 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -31349,6 +31349,7 @@ static void test_wolfSSL_X509V3_EXT(void) {
     AssertNotNull(asn1str = (WOLFSSL_ASN1_STRING*)wolfSSL_X509V3_EXT_d2i(ext));
     AssertNotNull(ext2 = wolfSSL_X509V3_EXT_i2d(NID_subject_key_identifier, 0,
                                                 asn1str));
+    X509_EXTENSION_free(ext2);
     AssertNotNull(method = wolfSSL_X509V3_EXT_get(ext));
     AssertNotNull(method->i2s);
     AssertNotNull(str = method->i2s((WOLFSSL_v3_ext_method*)method, asn1str));
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 86e2b3aed..4f08e92c9 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -274,7 +274,8 @@ struct WOLFSSL_ASN1_OBJECT {
     int ca;
     WOLFSSL_ASN1_INTEGER *pathlen;
 #endif
-    unsigned char dynamic; /* if 1 then obj was dynamically created, 0 otherwise */
+    unsigned char dynamic; /* Use WOLFSSL_ASN1_DYNAMIC and WOLFSSL_ASN1_DYNAMIC_DATA
+                            * to determine what needs to be freed. */
 
 #if defined(WOLFSSL_APACHE_HTTPD)
     WOLFSSL_GENERAL_NAME* gn;