This fixes a few memory leaks reported in #22049.
If SSL_CTX_set0_tmp_dh_pkey rejects the temp dh key
due to security restrictions (even when @SECLEVEL=0 is used!)
then the caller has to delete the PKEY object.
That is different to how the deprecated
SSL_CTX_set_tmp_dh_pkey was designed to work.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22060)
ERR_print_errors(bio_err);
goto end;
}
- SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey);
- SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey);
+ if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey))
+ EVP_PKEY_free(dhpkey);
+ if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey))
+ EVP_PKEY_free(dhpkey);
}
#endif