From: Frédéric Lécaille Date: Tue, 4 Jul 2023 09:09:25 +0000 (+0200) Subject: MINOR: quic: Release asap the negotiated Initial TLS context. X-Git-Tag: v2.9-dev2~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b8510d722607ffc29cc1cb87aab466df0f2f482;p=thirdparty%2Fhaproxy.git MINOR: quic: Release asap the negotiated Initial TLS context. This context may be released at the same time as the Initial TLS context. This is done calling quic_tls_ctx_secs_free() and pool_free() in two code locations. Implement quic_nictx_free() to do that. --- diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h index d433fff3d4..dfbe8dba50 100644 --- a/include/haproxy/quic_tls.h +++ b/include/haproxy/quic_tls.h @@ -757,6 +757,16 @@ static inline int quic_tls_secrets_keys_alloc(struct quic_tls_secrets *secs) return 0; } +/* Release the memory allocated for the negotiated Initial QUIC TLS context + * attached to connection. + */ +static inline void quic_nictx_free(struct quic_conn *qc) +{ + quic_tls_ctx_secs_free(qc->nictx); + pool_free(pool_head_quic_tls_ctx, qc->nictx); + qc->nictx = NULL; +} + /* Initialize a TLS cryptographic context for the Initial encryption level. */ static inline int quic_initial_tls_ctx_init(struct quic_tls_ctx *ctx) { diff --git a/src/quic_conn.c b/src/quic_conn.c index da471bb818..2b38149765 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -3356,6 +3356,8 @@ static int qc_parse_pkt_frms(struct quic_conn *qc, struct quic_rx_packet *pkt, qc_set_timer(qc); qc_el_rx_pkts_del(qc->iel); qc_release_pktns_frms(qc, qc->ipktns); + /* Also release the negotiated Inital TLS context. */ + quic_nictx_free(qc); } if (qc->state < QUIC_HS_ST_SERVER_HANDSHAKE) qc->state = QUIC_HS_ST_SERVER_HANDSHAKE; @@ -5221,6 +5223,8 @@ struct task *quic_conn_io_cb(struct task *t, void *context, unsigned int state) quic_pktns_release(qc, &qc->ipktns); qc_enc_level_free(qc, &qc->hel); quic_pktns_release(qc, &qc->hpktns); + /* Also release the negotiated Inital TLS context. */ + quic_nictx_free(qc); } TRACE_PROTO("ssl error", QUIC_EV_CONN_IO_CB, qc, &st, &ssl_err);