MINOR: ssl: ssl_sock_load_multi_ckchs() can properly fail
ssl_sock_load_multi_ckchs() is now able to fail without polluting the
bind_conf trees and leaking memory.
It is a prerequisite to load certificate on-the-fly with the CLI.
The insertion of the sni_ctxs in the trees are done once everything has
been allocated correctly.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e7a7672..05f64a5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3379,7 +3379,6 @@
/* Key combo contains ckch[n] */
snprintf(cur_file, MAXPATHLEN+1, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
if (ssl_sock_put_ckch_into_ctx(cur_file, &certs_and_keys[n], cur_ctx, err) != 0) {
- SSL_CTX_free(cur_ctx);
rv = 1;
goto end;
}
@@ -3391,7 +3390,6 @@
if (err)
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
*err ? *err : "", cur_file);
- SSL_CTX_free(cur_ctx);
rv = 1;
goto end;
}
@@ -3443,6 +3441,24 @@
node = next;
}
+ if (rv > 0) {
+ struct sni_ctx *sc0, *sc0b;
+
+ /* free the SSL_CTX in case of error */
+ for (i = 0; i < SSL_SOCK_POSSIBLE_KT_COMBOS; i++) {
+ if (key_combos[i].ctx)
+ SSL_CTX_free(key_combos[i].ctx);
+ }
+
+ /* free the sni_ctx in case of error */
+ list_for_each_entry_safe(sc0, sc0b, &ckch_inst->sni_ctx, by_ckch_inst) {
+
+ ebmb_delete(&sc0->name);
+ LIST_DEL(&sc0->by_ckch_inst);
+ free(sc0);
+ }
+ }
+
return rv;
}
#else