res_rtp_asterisk: Don't leak temporary key when enabling PFS.
authorJoshua Colp <jcolp@digium.com>
Wed, 5 Aug 2015 10:23:21 +0000 (07:23 -0300)
committerJoshua Colp <jcolp@digium.com>
Wed, 5 Aug 2015 15:25:53 +0000 (10:25 -0500)
A change recently went in which enabled perfect forward secrecy for
DTLS in res_rtp_asterisk. This was accomplished two different ways
depending on the availability of a feature in OpenSSL. The fallback
method created a temporary instance of a key but did not free it.
This change fixes that.

ASTERISK-25265

Change-Id: Iadc031b67a91410bbefb17ffb4218d615d051396

res/res_rtp_asterisk.c

index 7e507c9..5f21c14 100644 (file)
@@ -1268,6 +1268,9 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
 {
        struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
        int res;
+#ifndef HAVE_OPENSSL_ECDH_AUTO
+       EC_KEY *ecdh;
+#endif
 
        if (!dtls_cfg->enabled) {
                return 0;
@@ -1291,8 +1294,11 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
 #ifdef HAVE_OPENSSL_ECDH_AUTO
        SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, 1);
 #else
-       SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx,
-               EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+       ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+       if (ecdh) {
+               SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, ecdh);
+               EC_KEY_free(ecdh);
+       }
 #endif
 
        rtp->dtls_verify = dtls_cfg->verify;