Perform reference counting for tls_config. This allows tls_config_free() to

be called as soon as it has been passed to the final tls_configure() call,
simplifying lifetime tracking for the application.

Requested some time ago by tedu@.

ok beck@

4 files changed, 22 insertions, 6 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 446f93430d..b639873df4 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.61 2017/04/05 03:19:22 beck Exp $ */
+/* $OpenBSD: tls.c,v 1.62 2017/05/06 20:59:28 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -50,6 +50,8 @@ tls_init(void)
         if ((tls_config_default = tls_config_new()) == NULL)
                 return (-1);
 
+        tls_config_default->refcount++;
+
         tls_initialised = 1;
 
         return (0);
@@ -230,9 +232,8 @@ tls_new(void)
         if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
                 return (NULL);
 
-        ctx->config = tls_config_default;
-
         tls_reset(ctx);
+        tls_configure(ctx, tls_config_default);
 
         return (ctx);
 }
@@ -243,6 +244,9 @@ tls_configure(struct tls *ctx, struct tls_config *config)
         if (config == NULL)
                 config = tls_config_default;
 
+        config->refcount++;
+
+        tls_config_free(ctx->config);
         ctx->config = config;
 
         if ((ctx->flags & TLS_SERVER) != 0)
@@ -521,6 +525,9 @@ tls_reset(struct tls *ctx)
 {
         struct tls_sni_ctx *sni, *nsni;
 
+        tls_config_free(ctx->config);
+        ctx->config = NULL;
+
         SSL_CTX_free(ctx->ssl_ctx);
         SSL_free(ctx->ssl_conn);
         X509_free(ctx->ssl_peer_cert);
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 3945da75ac..8f0bd70508 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.39 2017/05/02 03:59:45 deraadt Exp $ */
+/* $OpenBSD: tls_config.c,v 1.40 2017/05/06 20:59:28 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -207,6 +207,8 @@ tls_config_new(void)
         if ((config->keypair = tls_keypair_new()) == NULL)
                 goto err;
 
+        config->refcount = 1;
+
         /*
          * Default configuration.
          */
@@ -252,6 +254,9 @@ tls_config_free(struct tls_config *config)
         if (config == NULL)
                 return;
 
+        if (--config->refcount > 0)
+                return;
+
         for (kp = config->keypair; kp != NULL; kp = nkp) {
                 nkp = kp->next;
                 tls_keypair_free(kp);
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 0c8e8c1d21..ba007a6714 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.58 2017/05/04 11:31:45 claudio Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.59 2017/05/06 20:59:28 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -75,6 +75,8 @@ struct tls_ticket_key {
 struct tls_config {
         struct tls_error error;
 
+        int refcount;
+
         char *alpn;
         size_t alpn_len;
         const char *ca_path;
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 39c6ca79e9..abac01ca5c 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.36 2017/04/10 17:11:13 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.37 2017/05/06 20:59:28 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -48,6 +48,8 @@ tls_server_conn(struct tls *ctx)
                 return (NULL);
 
         conn_ctx->flags |= TLS_SERVER_CONN;
+
+        ctx->config->refcount++;
         conn_ctx->config = ctx->config;
 
         return (conn_ctx);