Avoid leaking old SSL context on reconnect

The SSL context is currently unconditionally created during connect,
while it is only destroyed in free. Move the initialization to init,
since the context is independent from the individual connection.

Author: cgzones

src/netlog/netlog-dtls.c

@@ -59,7 +59,6 @@ int dtls_connect(DTLSManager *m, SocketAddress *address) {
         _cleanup_free_ char *pretty = NULL;
         const SSL_CIPHER *cipher;
         socklen_t salen;
-        SSL_CTX *ctx;
         struct timeval timeout = {
                 .tv_sec = 3,
                 .tv_usec = 0,
@@ -68,6 +67,7 @@ int dtls_connect(DTLSManager *m, SocketAddress *address) {
         int r;
 
         assert(m);
+        assert(m->ctx);
         assert(address);
 
         switch (address->sockaddr.sa.sa_family) {
@@ -95,12 +95,7 @@ int dtls_connect(DTLSManager *m, SocketAddress *address) {
 
         log_debug("DTLS: Connected to remote server: '%s'", pretty);
 
-        ctx = SSL_CTX_new(DTLS_method());
-        if (!ctx)
-                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
-                                       "DTLS: Failed to allocate memory for SSL CTX: %m");
-
-        ssl = SSL_new(ctx);
+        ssl = SSL_new(m->ctx);
         if (!ssl)
                 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
                                        "DTLS: Failed to allocate memory for ssl: %s",
@@ -125,9 +120,8 @@ int dtls_connect(DTLSManager *m, SocketAddress *address) {
                 SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_certificate_validity);
         } else {
                 log_debug("DTLS: disable certificate verification");
-                SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
         }
-        SSL_CTX_set_default_verify_paths(ctx);
 
         r = SSL_connect(ssl);
         if (r <= 0)
@@ -158,7 +152,6 @@ int dtls_connect(DTLSManager *m, SocketAddress *address) {
         BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
 
         m->ssl = TAKE_PTR(ssl);
-        m->ctx = ctx;
         m->fd = TAKE_FD(fd);
 
         m->connected = true;
@@ -193,13 +186,22 @@ void dtls_manager_free(DTLSManager *m) {
 
 int dtls_manager_init(OpenSSLCertificateAuthMode auth_mode, DTLSManager **ret) {
         _cleanup_(dtls_manager_freep) DTLSManager *m = NULL;
+        _cleanup_(SSL_CTX_freep) SSL_CTX *ctx = NULL;
+
+        ctx = SSL_CTX_new(DTLS_method());
+        if (!ctx)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "DTLS: Failed to allocate memory for SSL CTX: %m");
+
+        SSL_CTX_set_default_verify_paths(ctx);
 
         m = new(DTLSManager, 1);
         if (!m)
                 return log_oom();
 
         *m = (DTLSManager) {
            .auth_mode = auth_mode,
+           .ctx = TAKE_PTR(ctx),
            .fd = -1,
         };
 

src/netlog/netlog-ssl.h

@@ -3,4 +3,8 @@
 
 #include <openssl/ssl.h>
 
+#include "macro.h"
+
 int ssl_verify_certificate_validity(int status, X509_STORE_CTX *store);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC(SSL_CTX*, SSL_CTX_free);

src/netlog/netlog-tls.c

@@ -68,11 +68,11 @@ int tls_connect(TLSManager *m, SocketAddress *address) {
         _cleanup_free_ char *pretty = NULL;
         const SSL_CIPHER *cipher;
         socklen_t salen;
-        SSL_CTX *ctx;
         _cleanup_close_ int fd = -1;
         int r;
 
         assert(m);
+        assert(m->ctx);
         assert(address);
 
         switch (address->sockaddr.sa.sa_family) {
@@ -100,12 +100,7 @@ int tls_connect(TLSManager *m, SocketAddress *address) {
 
         log_debug("TLS: Connected to remote server: '%s'", pretty);
 
-        ctx = SSL_CTX_new(SSLv23_client_method());
-        if (!ctx)
-                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
-                                       "TLS: Failed to allocate memory for SSL CTX: %m");
-
-        ssl = SSL_new(ctx);
+        ssl = SSL_new(m->ctx);
         if (!ssl)
                 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
                                        "TLS: Failed to allocate memory for ssl: %s",
@@ -125,10 +120,9 @@ int tls_connect(TLSManager *m, SocketAddress *address) {
                 SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_certificate_validity);
         } else {
                 log_debug("TLS: disable certificate verification");
-                SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
         }
 
-        SSL_CTX_set_default_verify_paths(ctx);
         SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
 
         r = SSL_connect(ssl);
@@ -158,7 +152,6 @@ int tls_connect(TLSManager *m, SocketAddress *address) {
         }
 
         m->ssl = TAKE_PTR(ssl);
-        m->ctx = ctx;
         m->fd = TAKE_FD(fd);
 
         m->connected = true;
@@ -193,13 +186,22 @@ void tls_manager_free(TLSManager *m) {
 
 int tls_manager_init(OpenSSLCertificateAuthMode auth, TLSManager **ret ) {
         _cleanup_(tls_manager_freep) TLSManager *m = NULL;
+        _cleanup_(SSL_CTX_freep) SSL_CTX *ctx = NULL;
+
+        ctx = SSL_CTX_new(TLS_client_method());
+        if (!ctx)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "TLS: Failed to allocate memory for SSL CTX: %m");
+
+        SSL_CTX_set_default_verify_paths(ctx);
 
         m = new(TLSManager, 1);
         if (!m)
                 return log_oom();
 
         *m = (TLSManager) {
            .auth_mode = auth,
+           .ctx = TAKE_PTR(ctx),
            .fd = -1,
         };