tls: Fix SSL_CTX leak on every client session

author Brian Morris <bmorris2@cisco.com>

Wed, 11 Oct 2023 17:36:59 +0000 (17:36 +0000)

committer Florin Coras <florin.coras@gmail.com>

Wed, 11 Oct 2023 20:12:50 +0000 (20:12 +0000)
author Brian Morris <bmorris2@cisco.com>
Wed, 11 Oct 2023 17:36:59 +0000 (17:36 +0000)
committer Florin Coras <florin.coras@gmail.com>
Wed, 11 Oct 2023 20:12:50 +0000 (20:12 +0000)
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c

index 15bea86..e63413a 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -72,7 +72,7 @@ openssl_ctx_free (tls_ctx_t * ctx)
  
        SSL_free (oc->ssl);
        vec_free (ctx->srv_hostname);
-
+      SSL_CTX_free (oc->client_ssl_ctx);
  #ifdef HAVE_OPENSSL_ASYNC
    openssl_evt_free (ctx->evt_index, ctx->c_thread_index);
  #endif
@@ -739,30 +739,31 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
        return -1;
      }
  
-  oc->ssl_ctx = SSL_CTX_new (method);
-  if (oc->ssl_ctx == NULL)
+  oc->client_ssl_ctx = SSL_CTX_new (method);
+  if (oc->client_ssl_ctx == NULL)
      {
        TLS_DBG (1, "SSL_CTX_new returned null");
        return -1;
      }
  
-  SSL_CTX_set_ecdh_auto (oc->ssl_ctx, 1);
-  SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+  SSL_CTX_set_ecdh_auto (oc->client_ssl_ctx, 1);
+  SSL_CTX_set_mode (oc->client_ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
  #ifdef HAVE_OPENSSL_ASYNC
    if (om->async)
-    SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ASYNC);
+    SSL_CTX_set_mode (oc->client_ssl_ctx, SSL_MODE_ASYNC);
  #endif
-  rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) om->ciphers);
+  rv =
+    SSL_CTX_set_cipher_list (oc->client_ssl_ctx, (const char *) om->ciphers);
    if (rv != 1)
      {
        TLS_DBG (1, "Couldn't set cipher");
        return -1;
      }
  
-  SSL_CTX_set_options (oc->ssl_ctx, flags);
-  SSL_CTX_set_cert_store (oc->ssl_ctx, om->cert_store);
+  SSL_CTX_set_options (oc->client_ssl_ctx, flags);
+  SSL_CTX_set1_cert_store (oc->client_ssl_ctx, om->cert_store);
  
-  oc->ssl = SSL_new (oc->ssl_ctx);
+  oc->ssl = SSL_new (oc->client_ssl_ctx);
    if (oc->ssl == NULL)
      {
        TLS_DBG (1, "Couldn't initialize ssl struct");
diff --git a/src/plugins/tlsopenssl/tls_openssl.h b/src/plugins/tlsopenssl/tls_openssl.h

index a4beecc..1600cd7 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.h
+++ b/src/plugins/tlsopenssl/tls_openssl.h
@@ -33,7 +33,7 @@ typedef struct tls_ctx_openssl_
  {
    tls_ctx_t ctx;                       /**< First */
    u32 openssl_ctx_index;
-  SSL_CTX *ssl_ctx;
+  SSL_CTX *client_ssl_ctx;
    SSL *ssl;
    BIO *rbio;
    BIO *wbio;
author	Brian Morris <bmorris2@cisco.com>
	Wed, 11 Oct 2023 17:36:59 +0000 (17:36 +0000)
committer	Florin Coras <florin.coras@gmail.com>
	Wed, 11 Oct 2023 20:12:50 +0000 (20:12 +0000)
src/plugins/tlsopenssl/tls_openssl.c		patch \| blob \| history
src/plugins/tlsopenssl/tls_openssl.h		patch \| blob \| history