From: William Lallemand Date: Thu, 23 Jan 2020 09:56:05 +0000 (+0100) Subject: BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded X-Git-Tag: v2.2-dev2~104 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=75b15f790f2be0600483476c1505fec0ce898e35;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded When using "set ssl cert" on the CLI, if we load a new PEM, the previous sctl, issuer and OCSP response are still loaded. This doesn't make any sense since they won't be usable with a new private key. This patch free the previous data. Should be backported in 2.1. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 88611dd665..4ff051b9b4 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3357,6 +3357,26 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ goto end; } + /* once it loaded the PEM, it should remove everything else in the ckch */ + if (ckch->ocsp_response) { + free(ckch->ocsp_response->area); + ckch->ocsp_response->area = NULL; + free(ckch->ocsp_response); + ckch->ocsp_response = NULL; + } + + if (ckch->sctl) { + free(ckch->sctl->area); + ckch->sctl->area = NULL; + free(ckch->sctl); + ckch->sctl = NULL; + } + + if (ckch->ocsp_issuer) { + X509_free(ckch->ocsp_issuer); + ckch->ocsp_issuer = NULL; + } + /* no error, fill ckch with new context, old context will be free at end: */ SWAP(ckch->key, key); SWAP(ckch->dh, dh);