From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 21 Oct 2025 09:39:26 +0000 (+0200)
Subject: dnsdist: Fix comment as suggested by Miod
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ec21af00d5d682ffaa916b4bf48209dfa9038814;p=thirdparty%2Fpdns.git

dnsdist: Fix comment as suggested by Miod

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index 7a18f2f8ad..bd247dc178 100644
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -375,6 +375,9 @@ int libssl_ocsp_stapling_callback(SSL* ssl, const std::map<int, std::string>& oc
   }
 
   const auto ocsp_resp_size = data->second.size();
+  /* the behaviour is alas different in 3.6.0 because of a regression introduced in b1b4b154fd389ac6254d49cfb11aee36c1c51b84:
+     the value passed to SSL_set_tlsext_status_ocsp_resp() is not freed in 3.6.0 as it is in all others OpenSSL versions.
+     See https://github.com/openssl/openssl/issues/28888 */
 #if OPENSSL_VERSION_NUMBER != 0x30600000L
   /* we need to allocate a copy because OpenSSL will free the pointer passed to SSL_set_tlsext_status_ocsp_resp() */
   void* ocsp_resp = OPENSSL_malloc(ocsp_resp_size);
@@ -384,8 +387,7 @@ int libssl_ocsp_stapling_callback(SSL* ssl, const std::map<int, std::string>& oc
 
   memcpy(ocsp_resp, data->second.data(), ocsp_resp_size);
 #else
-  /* no longer freed after b1b4b154fd389ac6254d49cfb11aee36c1c51b84 3.6.0, https://github.com/openssl/openssl/issues/28888 */
-  // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast): the parameter is no longer freed but the parameter is not marked const..
+  // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast): the parameter is not freed in this version (3.6.0, see above) but the parameter is not marked const.
   void* ocsp_resp = const_cast<char*>(data->second.data());
 #endif
   SSL_set_tlsext_status_ocsp_resp(ssl, ocsp_resp, ocsp_resp_size);