OpenSSL: fix memory leaks

Approver's checklist:

• The author has submitted the FSF Copyright Assignment and is listed in AUTHORS
• There is a test suite reasonably covering new functionality or modifications
• Function naming, parameters, return values, types, etc., are consistent with existing code
• This feature/change has adequate documentation added (if appropriate)
• No obvious mistakes / misspelling in the code

changed the description

added 4 commits

• 80c15343...d5139894 - 3 commits from branch master
• 5f350371 - OpenSSL: fix memory leaks

Compare with previous version

Please do not pthreads directly. If you need thread-specific global variables, allocate them in wget_ssl_init. Or did I miss something ?

Well, I thought pthread_key_create, pthread_getspecific and pthread_setspecific were available in gnulib (see: pthread-tss.c).

Otherwise I can't think of any other alternative than thread-specific globals, but I have concerns about the portability of __thread. That's why I removed it in favor of those functions.

Isn't there a possibility to set a user variable for 'store' before calling X509_STORE_set_verify_cb() ?

I can set a user variable in both X509_STORE and X509_STORE_CTX, but I can't get a handle to X509_STORE from X509_STORE_CTX (what the callback function gets as argument). And conversely, I can get a handle to X509_STORE from SSL_CTX (in wget_ssl_open()), but not a handle to X509_STORE_CTX.

I have the feeling something as simple as passing a pointer around can't be so hard, so either I am missing something really obvious or yes, it is that hard.

From the man page:

void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
                               int (*verify_cb)(int ok, X509_STORE_CTX *ctx));

...
Additional application data can be passed to the callback via the ex_data mechanism. 

So set the user data to ctx, as you get the same ctx passed to your callback. Or is that my misunderstanding ?

That is what I'm doing, but I could not get a pointer to the X509_STORE_CTX structure from within wget_ssl_open().

I've just found X509_STORE_CTX_get0_store(), in file x509_lu.c. Hope it works now. Will check later.

I found another possibility, at least for SNI in apps/s_client.c:

tlsextcbp.biodebug = bio_err;
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);

static int ssl_servername_cb(SSL *s, int *ad, void *arg)
{
    tlsextctx *p = (tlsextctx *) arg;
    const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
    if (SSL_get_servername_type(s) != -1)
        p->ack = !SSL_session_reused(s) && hn != NULL;
    else
        BIO_printf(bio_err, "Can't use SSL_get_servername\n");

    return SSL_TLSEXT_ERR_OK;
}

tlsextcbp is a user defined structure, so anything you like to use in the callback.

added 1 commit

• 219afd6a - OpenSSL: fix memory leaks

Compare with previous version

@rockdaboot this should be it

added 9 commits

• 219afd6a...595e78c8 - 8 commits from branch master
• 1814b31e - OpenSSL: fix memory leaks

Compare with previous version

approved this merge request

enabled an automatic merge when the pipeline for 1814b31e succeeds

merged