diff options
author | Brian Morris <bmorris2@cisco.com> | 2023-10-11 17:36:59 +0000 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2023-10-11 20:12:50 +0000 |
commit | 733e093e7099552a4609dc5efadf9261df7778d4 (patch) | |
tree | 6381f6cbb0ba0d866a51e7a83dcf3c5b60c49830 | |
parent | 9eaf377a386473a0798966560062a10ae932204d (diff) |
tls: Fix SSL_CTX leak on every client session
Type: fix
Change-Id: I35b3920288269073cdd35f79c938396128d169c9
Signed-off-by: Brian Morris <bmorris2@cisco.com>
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 21 | ||||
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.h | 2 |
2 files changed, 12 insertions, 11 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 15bea86ffd3..e63413a3904 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -72,7 +72,7 @@ openssl_ctx_free (tls_ctx_t * ctx) SSL_free (oc->ssl); vec_free (ctx->srv_hostname); - + SSL_CTX_free (oc->client_ssl_ctx); #ifdef HAVE_OPENSSL_ASYNC openssl_evt_free (ctx->evt_index, ctx->c_thread_index); #endif @@ -739,30 +739,31 @@ openssl_ctx_init_client (tls_ctx_t * ctx) return -1; } - oc->ssl_ctx = SSL_CTX_new (method); - if (oc->ssl_ctx == NULL) + oc->client_ssl_ctx = SSL_CTX_new (method); + if (oc->client_ssl_ctx == NULL) { TLS_DBG (1, "SSL_CTX_new returned null"); return -1; } - SSL_CTX_set_ecdh_auto (oc->ssl_ctx, 1); - SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_ecdh_auto (oc->client_ssl_ctx, 1); + SSL_CTX_set_mode (oc->client_ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); #ifdef HAVE_OPENSSL_ASYNC if (om->async) - SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ASYNC); + SSL_CTX_set_mode (oc->client_ssl_ctx, SSL_MODE_ASYNC); #endif - rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) om->ciphers); + rv = + SSL_CTX_set_cipher_list (oc->client_ssl_ctx, (const char *) om->ciphers); if (rv != 1) { TLS_DBG (1, "Couldn't set cipher"); return -1; } - SSL_CTX_set_options (oc->ssl_ctx, flags); - SSL_CTX_set_cert_store (oc->ssl_ctx, om->cert_store); + SSL_CTX_set_options (oc->client_ssl_ctx, flags); + SSL_CTX_set1_cert_store (oc->client_ssl_ctx, om->cert_store); - oc->ssl = SSL_new (oc->ssl_ctx); + oc->ssl = SSL_new (oc->client_ssl_ctx); if (oc->ssl == NULL) { TLS_DBG (1, "Couldn't initialize ssl struct"); diff --git a/src/plugins/tlsopenssl/tls_openssl.h b/src/plugins/tlsopenssl/tls_openssl.h index a4beecc8ec1..1600cd77aba 100644 --- a/src/plugins/tlsopenssl/tls_openssl.h +++ b/src/plugins/tlsopenssl/tls_openssl.h @@ -33,7 +33,7 @@ typedef struct tls_ctx_openssl_ { tls_ctx_t ctx; /**< First */ u32 openssl_ctx_index; - SSL_CTX *ssl_ctx; + SSL_CTX *client_ssl_ctx; SSL *ssl; BIO *rbio; BIO *wbio; |