49 lines
1.4 KiB
Diff
49 lines
1.4 KiB
Diff
commit 9f77fd742697cc2774c6a50204cb9f5b6909e930
|
|
Author: William Lallemand <wlallemand@haproxy.com>
|
|
Date: Thu Jan 23 10:56:05 2020 +0100
|
|
|
|
BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded
|
|
|
|
When using "set ssl cert" on the CLI, if we load a new PEM, the previous
|
|
sctl, issuer and OCSP response are still loaded. This doesn't make any
|
|
sense since they won't be usable with a new private key.
|
|
|
|
This patch free the previous data.
|
|
|
|
Should be backported in 2.1.
|
|
|
|
(cherry picked from commit 75b15f790f2be0600483476c1505fec0ce898e35)
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
|
|
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
|
index b65da399f..e320d908f 100644
|
|
--- a/src/ssl_sock.c
|
|
+++ b/src/ssl_sock.c
|
|
@@ -3196,6 +3196,26 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_
|
|
goto end;
|
|
}
|
|
|
|
+ /* once it loaded the PEM, it should remove everything else in the ckch */
|
|
+ if (ckch->ocsp_response) {
|
|
+ free(ckch->ocsp_response->area);
|
|
+ ckch->ocsp_response->area = NULL;
|
|
+ free(ckch->ocsp_response);
|
|
+ ckch->ocsp_response = NULL;
|
|
+ }
|
|
+
|
|
+ if (ckch->sctl) {
|
|
+ free(ckch->sctl->area);
|
|
+ ckch->sctl->area = NULL;
|
|
+ free(ckch->sctl);
|
|
+ ckch->sctl = NULL;
|
|
+ }
|
|
+
|
|
+ if (ckch->ocsp_issuer) {
|
|
+ X509_free(ckch->ocsp_issuer);
|
|
+ ckch->ocsp_issuer = NULL;
|
|
+ }
|
|
+
|
|
/* no error, fill ckch with new context, old context will be free at end: */
|
|
SWAP(ckch->key, key);
|
|
SWAP(ckch->dh, dh);
|