Plug a long standing leak in libtls CRL handling

tb · tb · commit 388f2ae8914a · 2022-02-08T19:13:50.000Z
X509_STORE_add_crl() does not take ownership of the CRL, it bumps its
refcount. So nulling out the CRL from the stack will leak it.

Issue reported by KS Sreeram, thanks!

ok jsing
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.92 2021/10/21 14:31:21 tb Exp $ */
+/* $OpenBSD: tls.c,v 1.93 2022/01/25 21:51:24 eric Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -647,7 +647,6 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 				tls_set_error(ctx, "failed to add crl");
 				goto err;
 			}
-			xi->crl = NULL;
 		}
 		X509_STORE_set_flags(store,
 		    X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/* $OpenBSD: tls.c,v 1.92 2021/10/21 14:31:21 tb Exp $ */`
	`1`	`+/* $OpenBSD: tls.c,v 1.93 2022/01/25 21:51:24 eric Exp $ */`
`2`	`2`	`/*`
`3`	`3`	`* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>`
`4`	`4`	`*`
`@@ -647,7 +647,6 @@ tls_configure_ssl_verify(struct tls ctx, SSL_CTX ssl_ctx, int verify)`
`647`	`647`	`tls_set_error(ctx, "failed to add crl");`
`648`	`648`	`goto err;`
`649`	`649`	`}`
`650`		`- xi->crl = NULL;`
`651`	`650`	`}`
`652`	`651`	`X509_STORE_set_flags(store,`
`653`	`652`	`X509_V_FLAG_CRL_CHECK \| X509_V_FLAG_CRL_CHECK_ALL);`