From d7b50874f66a950b98f39ae4f88aa586031a7f1d Mon Sep 17 00:00:00 2001
From: kaleb-himes <kaleb@wolfssl.com>
Date: Wed, 10 Jul 2019 13:28:00 -0600
Subject: [PATCH 1/4] Fix leak in dh_test

---
 wolfcrypt/test/test.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 0a3a6d152..4058986f5 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -13061,6 +13061,7 @@ int dh_test(void)
         /* Test Check Key */
         ret = wc_DhSetCheckKey(&key, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g),
             NULL, 0, 0, &rng);
+        keyInit = 1; /* DhSetCheckKey also initializes the key, free it */
     }
 #endif
 

From 85ce959031810469ab0e171284ce563687817b09 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 10 Jul 2019 16:04:42 -0600
Subject: [PATCH 2/4] free peer cert overwritten by secure renegotiation

---
 src/internal.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 2f49b5bf3..c0f303b6e 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -5652,6 +5652,10 @@ void FreeHandshakeResources(WOLFSSL* ssl)
 #ifdef HAVE_SECURE_RENEGOTIATION
     if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
         WOLFSSL_MSG("Secure Renegotiation needs to retain handshake resources");
+    #ifdef KEEP_PEER_CERT
+        /* free peer cert in preparation for new handshake */
+        FreeX509(&ssl->peerCert);
+    #endif
         return;
     }
 #endif

From 6c9fac2a7195e5ec0d35ae47f4fd808361927b3f Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 10 Jul 2019 16:43:44 -0600
Subject: [PATCH 3/4] add wolfSSL_RAND_Cleanup to match wolfSSL_RAND_seed call
 on init

---
 src/ssl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/ssl.c b/src/ssl.c
index a63db3378..7770f9498 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -9922,6 +9922,10 @@ int wolfSSL_Cleanup(void)
     if (wc_FreeMutex(&count_mutex) != 0)
         ret = BAD_MUTEX_E;
 
+#ifdef OPENSSL_EXTRA
+    wolfSSL_RAND_Cleanup();
+#endif
+
     if (wolfCrypt_Cleanup() != 0) {
         WOLFSSL_MSG("Error with wolfCrypt_Cleanup call");
         ret = WC_CLEANUP_E;

From a6cc9af1fcdd1a134dfe8f3d593192a5745d9889 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 10 Jul 2019 17:07:16 -0600
Subject: [PATCH 4/4] free old peer RSA key in secure renegotiation when
 getting new one

---
 src/internal.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index c0f303b6e..0964e1369 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10102,6 +10102,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                             ssl->peerRsaKeyPresent = 1;
                     #ifdef HAVE_PK_CALLBACKS
                         #ifndef NO_RSA
+                            #ifdef HAVE_SECURE_RENEGOTIATION
+                            if (ssl->buffers.peerRsaKey.buffer) {
+                                XFREE(ssl->buffers.peerRsaKey.buffer,
+                                        ssl->heap, DYNAMIC_TYPE_RSA);
+                                ssl->buffers.peerRsaKey.buffer = NULL;
+                            }
+                            #endif
+
+
                             ssl->buffers.peerRsaKey.buffer =
                                    (byte*)XMALLOC(args->dCert->pubKeySize,
                                                 ssl->heap, DYNAMIC_TYPE_RSA);