summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2021-01-02 18:31:07 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2021-01-02 18:31:07 +0000
commitaf7296595c95ded857913cc265b3d5b4ca066fda (patch)
treeec82b1cbc9464052ebb17e2f6307b88990f56c6f
parent9e4c9e478f34da0c57232c6f67d33c3a1c5a7a59 (diff)
Call tls_close() before closing the underlying socket
In order to end a TLS connection regularly, an implementation MUST send a close_notify alert. libtls does this in tls_close() via SSL_shutdown(), so the socket had better still be open. The incorrect order in server_close() caused a leak on each tls connection due to a bug in libssl (fixed in tls_record_layer.c r1.56). As pointed out by claudio, tls_close() should really be handled from the main event loop. This will be addressed in a later commit. ok claudio florian jsing
-rw-r--r--usr.sbin/httpd/server.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c
index 20b31a39e50..b61208d240f 100644
--- a/usr.sbin/httpd/server.c
+++ b/usr.sbin/httpd/server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: server.c,v 1.122 2020/12/31 14:17:12 tb Exp $ */
+/* $OpenBSD: server.c,v 1.123 2021/01/02 18:31:06 tb Exp $ */
/*
* Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -1333,15 +1333,17 @@ server_close(struct client *clt, const char *msg)
if (clt->clt_srvbev != NULL)
bufferevent_free(clt->clt_srvbev);
+
+ /* tls_close must be called before the underlying socket is closed. */
+ if (clt->clt_tls_ctx != NULL)
+ tls_close(clt->clt_tls_ctx); /* XXX - error handling */
+ tls_free(clt->clt_tls_ctx);
+
if (clt->clt_fd != -1)
close(clt->clt_fd);
if (clt->clt_s != -1)
close(clt->clt_s);
- if (clt->clt_tls_ctx != NULL)
- tls_close(clt->clt_tls_ctx);
- tls_free(clt->clt_tls_ctx);
-
server_inflight_dec(clt, __func__);
if (clt->clt_log != NULL)