From 80c8c62fb251ee1f54222cbe23ba095e4c2d8a2f Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 5 Oct 2023 16:23:43 +0200 Subject: [PATCH] Proper initial_ctx clean up - Call wolfSSL_CTX_free on ssl->initial_ctx so that it decrements the counter and free's the object - Clean up where ssl->initial_ctx is free'd. It only needs to be free'd when the ssl object is being free'd --- src/internal.c | 37 +++++++++++++++++++------------------ src/ssl.c | 6 +----- 2 files changed, 20 insertions(+), 23 deletions(-) diff --git a/src/internal.c b/src/internal.c index c00336f90..531b49fae 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6455,7 +6455,7 @@ int InitSSL_Suites(WOLFSSL* ssl) WOLFSSL_SUCCESS return value on success */ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) { - int ret; + int ret = WOLFSSL_SUCCESS; /* set default ret */ byte newSSL; WOLFSSL_ENTER("SetSSL_CTX"); @@ -6475,38 +6475,35 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) if (!newSSL) { WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx."); wolfSSL_CTX_free(ssl->ctx); -#if defined(WOLFSSL_HAPROXY) - wolfSSL_CTX_free(ssl->initial_ctx); -#endif } /* increment CTX reference count */ - wolfSSL_RefInc(&ctx->ref, &ret); + ret = wolfSSL_CTX_up_ref(ctx); #ifdef WOLFSSL_REFCNT_ERROR_RETURN - if (ret < 0) { + if (ret != WOLFSSL_SUCCESS) { return ret; } #else (void)ret; #endif - ret = WOLFSSL_SUCCESS; /* set default ret */ ssl->ctx = ctx; /* only for passing to calls, options could change */ /* Don't change version on a SSL object that has already started a * handshake */ #if defined(WOLFSSL_HAPROXY) - ret = wolfSSL_CTX_up_ref(ctx); - if (ret == WOLFSSL_SUCCESS) { - ssl->initial_ctx = ctx; /* Save access to session key materials */ + if (ssl->initial_ctx == NULL) { + ret = wolfSSL_CTX_up_ref(ctx); + if (ret == WOLFSSL_SUCCESS) { + ssl->initial_ctx = ctx; /* Save access to session key materials */ + } + else { + #ifdef WOLFSSL_REFCNT_ERROR_RETURN + return ret; + #else + (void)ret; + #endif + } } - else { - #ifdef WOLFSSL_REFCNT_ERROR_RETURN - return ret; - #else - (void)ret; - #endif - } - #endif if (!ssl->msgsReceived.got_client_hello && !ssl->msgsReceived.got_server_hello) @@ -8244,6 +8241,10 @@ void SSL_ResourceFree(WOLFSSL* ssl) #ifdef WOLFSSL_QUIC wolfSSL_quic_free(ssl); #endif +#if defined(WOLFSSL_HAPROXY) + wolfSSL_CTX_free(ssl->initial_ctx); + ssl->initial_ctx = NULL; +#endif } /* Free any handshake resources no longer needed */ diff --git a/src/ssl.c b/src/ssl.c index d374bd92a..1d33daa2a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -30246,12 +30246,8 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #else (void)ret; #endif - if (ssl->ctx) { + if (ssl->ctx != NULL) wolfSSL_CTX_free(ssl->ctx); -#if defined(WOLFSSL_HAPROXY) - wolfSSL_CTX_free(ssl->initial_ctx); -#endif - } ssl->ctx = ctx; #ifndef NO_CERTS