diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2021-01-02 18:31:07 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2021-01-02 18:31:07 +0000 |
commit | af7296595c95ded857913cc265b3d5b4ca066fda (patch) | |
tree | ec82b1cbc9464052ebb17e2f6307b88990f56c6f | |
parent | 9e4c9e478f34da0c57232c6f67d33c3a1c5a7a59 (diff) |
Call tls_close() before closing the underlying socket
In order to end a TLS connection regularly, an implementation MUST send a
close_notify alert. libtls does this in tls_close() via SSL_shutdown(),
so the socket had better still be open.
The incorrect order in server_close() caused a leak on each tls connection
due to a bug in libssl (fixed in tls_record_layer.c r1.56).
As pointed out by claudio, tls_close() should really be handled from the
main event loop. This will be addressed in a later commit.
ok claudio florian jsing
-rw-r--r-- | usr.sbin/httpd/server.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 20b31a39e50..b61208d240f 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.122 2020/12/31 14:17:12 tb Exp $ */ +/* $OpenBSD: server.c,v 1.123 2021/01/02 18:31:06 tb Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -1333,15 +1333,17 @@ server_close(struct client *clt, const char *msg) if (clt->clt_srvbev != NULL) bufferevent_free(clt->clt_srvbev); + + /* tls_close must be called before the underlying socket is closed. */ + if (clt->clt_tls_ctx != NULL) + tls_close(clt->clt_tls_ctx); /* XXX - error handling */ + tls_free(clt->clt_tls_ctx); + if (clt->clt_fd != -1) close(clt->clt_fd); if (clt->clt_s != -1) close(clt->clt_s); - if (clt->clt_tls_ctx != NULL) - tls_close(clt->clt_tls_ctx); - tls_free(clt->clt_tls_ctx); - server_inflight_dec(clt, __func__); if (clt->clt_log != NULL) |