commit 75b15f790f2be0600483476c1505fec0ce898e35
author William Lallemand <wlallemand@haproxy.com> Thu Jan 23 10:56:05 2020 +0100
committer William Lallemand <wlallemand@haproxy.org> Thu Jan 23 11:08:46 2020 +0100
tree de918fbdaf83ddee2dd4c5ae1f39aba320399216
parent d0142e7224e874380b3f2c5f651557ffe74155c0

BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded

When using "set ssl cert" on the CLI, if we load a new PEM, the previous
sctl, issuer and OCSP response are still loaded. This doesn't make any
sense since they won't be usable with a new private key.

This patch free the previous data.

Should be backported in 2.1.

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 88611dd..4ff051b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3357,6 +3357,26 @@
 		goto end;
 	}
 
+	/* once it loaded the PEM, it should remove everything else in the ckch */
+	if (ckch->ocsp_response) {
+		free(ckch->ocsp_response->area);
+		ckch->ocsp_response->area = NULL;
+		free(ckch->ocsp_response);
+		ckch->ocsp_response = NULL;
+	}
+
+	if (ckch->sctl) {
+		free(ckch->sctl->area);
+		ckch->sctl->area = NULL;
+		free(ckch->sctl);
+		ckch->sctl = NULL;
+	}
+
+	if (ckch->ocsp_issuer) {
+		X509_free(ckch->ocsp_issuer);
+		ckch->ocsp_issuer = NULL;
+	}
+
 	/* no error, fill ckch with new context, old context will be free at end: */
 	SWAP(ckch->key, key);
 	SWAP(ckch->dh, dh);