From: Florin Coras <fcoras@cisco.com>
Date: Fri, 11 Jul 2025 03:27:08 +0000 (-0700)
Subject: tls: fix cert and pkey leak
X-Git-Tag: v26.02-rc0~178
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F34%2F43434%2F4;p=vpp.git

tls: fix cert and pkey leak

Free cert and pkey once assigned to make sure they're freed one the
ssl structs are freed.

Type: fix

Change-Id: I41546c8ae7bad169a1462b3b9a3807e4644a1c2c
Signed-off-by: Florin Coras <fcoras@cisco.com>
---

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 65fe9a3f58e..020971d0b6d 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -721,6 +721,7 @@ openssl_set_ckpair (SSL *ssl, u32 ckpair_index)
     }
   SSL_use_certificate (ssl, srvcert);
   BIO_free (cert_bio);
+  X509_free (srvcert);
 
   cert_bio = BIO_new (BIO_s_mem ());
   BIO_write (cert_bio, ckpair->key, vec_len (ckpair->key));
@@ -732,6 +733,7 @@ openssl_set_ckpair (SSL *ssl, u32 ckpair_index)
     }
   SSL_use_PrivateKey (ssl, pkey);
   BIO_free (cert_bio);
+  EVP_PKEY_free (pkey);
   TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index);
   return 0;
 }
@@ -1033,6 +1035,7 @@ openssl_start_listen (tls_ctx_t * lctx)
     }
 
   BIO_free (cert_bio);
+  X509_free (srvcert);
 
   cert_bio = BIO_new (BIO_s_mem ());
   if (!cert_bio)
@@ -1055,6 +1058,7 @@ openssl_start_listen (tls_ctx_t * lctx)
     }
 
   BIO_free (cert_bio);
+  EVP_PKEY_free (pkey);
 
   if (lctx->alpn_list)
     SSL_CTX_set_alpn_select_cb (ssl_ctx, openssl_alpn_select_cb,
@@ -1086,9 +1090,6 @@ openssl_stop_listen (tls_ctx_t * lctx)
   olc_index = lctx->tls_ssl_ctx;
   olc = openssl_lctx_get (olc_index);
 
-  X509_free (olc->srvcert);
-  EVP_PKEY_free (olc->pkey);
-
   SSL_CTX_free (olc->ssl_ctx);
   openssl_listen_ctx_free (olc);