From: Joshua Colp Date: Wed, 5 Aug 2015 10:23:21 +0000 (-0300) Subject: res_rtp_asterisk: Don't leak temporary key when enabling PFS. X-Git-Tag: 11.20.0-rc1~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7a1dca4baec5c2edec16470b377761066021650;p=thirdparty%2Fasterisk.git res_rtp_asterisk: Don't leak temporary key when enabling PFS. A change recently went in which enabled perfect forward secrecy for DTLS in res_rtp_asterisk. This was accomplished two different ways depending on the availability of a feature in OpenSSL. The fallback method created a temporary instance of a key but did not free it. This change fixes that. ASTERISK-25265 Change-Id: Iadc031b67a91410bbefb17ffb4218d615d051396 --- diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c index d3c704c25d..6f7f94a0c1 100644 --- a/res/res_rtp_asterisk.c +++ b/res/res_rtp_asterisk.c @@ -1254,6 +1254,9 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con { struct ast_rtp *rtp = ast_rtp_instance_get_data(instance); int res; +#ifndef HAVE_OPENSSL_ECDH_AUTO + EC_KEY *ecdh; +#endif if (!dtls_cfg->enabled) { return 0; @@ -1273,8 +1276,11 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con #ifdef HAVE_OPENSSL_ECDH_AUTO SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, 1); #else - SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, - EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); + ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (ecdh) { + SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, ecdh); + EC_KEY_free(ecdh); + } #endif rtp->dtls_verify = dtls_cfg->verify;