diff --git a/cstp.c b/cstp.c index d799f15f..792c17e9 100644 --- a/cstp.c +++ b/cstp.c @@ -230,7 +230,7 @@ static int start_cstp_connection(struct openconnect_info *vpninfo) _("Error fetching HTTPS response\n")); if (!retried) { retried = 1; - openconnect_close_https(vpninfo); + openconnect_close_https(vpninfo, 0); if (openconnect_open_https(vpninfo)) { vpn_progress(vpninfo, PRG_ERR, @@ -526,7 +526,7 @@ int cstp_reconnect(struct openconnect_info *vpninfo) int timeout; int interval; - openconnect_close_https(vpninfo); + openconnect_close_https(vpninfo, 0); /* Requeue the original packet that was deflated */ if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt) { diff --git a/gnutls.c b/gnutls.c index eaa42752..7476564a 100644 --- a/gnutls.c +++ b/gnutls.c @@ -1056,17 +1056,8 @@ int openconnect_open_https(struct openconnect_info *vpninfo) return 0; } -void openconnect_close_https(struct openconnect_info *vpninfo) +void openconnect_close_https(struct openconnect_info *vpninfo, int final) { -#ifdef HAVE_P11KIT - if (!strncmp(vpninfo->cert, "pkcs11:", 7)) { - char pin_source[40]; - - sprintf(pin_source, "openconnect:%p", vpninfo); - p11_kit_pin_unregister_callback(pin_source, pin_callback, vpninfo); - } -#endif - if (vpninfo->peer_cert) { gnutls_x509_crt_deinit(vpninfo->peer_cert); vpninfo->peer_cert = NULL; @@ -1082,6 +1073,18 @@ void openconnect_close_https(struct openconnect_info *vpninfo) FD_CLR(vpninfo->ssl_fd, &vpninfo->select_efds); vpninfo->ssl_fd = -1; } + if (final && vpninfo->https_cred) { + gnutls_certificate_free_credentials(vpninfo->https_cred); + vpninfo->https_cred = NULL; +#ifdef HAVE_P11KIT + if (!strncmp(vpninfo->cert, "pkcs11:", 7)) { + char pin_source[40]; + + sprintf(pin_source, "openconnect:%p", vpninfo); + p11_kit_pin_unregister_callback(pin_source, pin_callback, vpninfo); + } +#endif + } } void openconnect_init_ssl(void) diff --git a/http.c b/http.c index 68a15a3a..e8ef020d 100644 --- a/http.c +++ b/http.c @@ -335,7 +335,7 @@ static int process_http_response(struct openconnect_info *vpninfo, int *result, } if (closeconn || vpninfo->no_http_keepalive) - openconnect_close_https(vpninfo); + openconnect_close_https(vpninfo, 0); if (body) body[done] = 0; @@ -728,7 +728,7 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo) /* Kill the existing connection, and a new one will happen */ free(vpninfo->peer_addr); vpninfo->peer_addr = NULL; - openconnect_close_https(vpninfo); + openconnect_close_https(vpninfo, 0); for (opt = vpninfo->cookies; opt; opt = next) { next = opt->next; diff --git a/library.c b/library.c index 0b4eae83..92b7c253 100644 --- a/library.c +++ b/library.c @@ -171,23 +171,11 @@ void openconnect_clear_cookie (struct openconnect_info *vpninfo) void openconnect_reset_ssl (struct openconnect_info *vpninfo) { - openconnect_close_https(vpninfo); + openconnect_close_https(vpninfo, 1); if (vpninfo->peer_addr) { free(vpninfo->peer_addr); vpninfo->peer_addr = NULL; } -#if defined (OPENCONNECT_OPENSSL) - if (vpninfo->https_ctx) { - SSL_CTX_free(vpninfo->https_ctx); - vpninfo->https_ctx = NULL; - } -#elif defined (OPENCONNECT_GNUTLS) - if (vpninfo->https_cred) { - gnutls_certificate_free_credentials(vpninfo->https_cred); - vpninfo->https_cred = NULL; - } -#endif - } int openconnect_parse_url (struct openconnect_info *vpninfo, char *url) diff --git a/openconnect-internal.h b/openconnect-internal.h index fafd8f32..ac6ffe44 100644 --- a/openconnect-internal.h +++ b/openconnect-internal.h @@ -321,7 +321,7 @@ int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len); int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len); int openconnect_open_https(struct openconnect_info *vpninfo); -void openconnect_close_https(struct openconnect_info *vpninfo); +void openconnect_close_https(struct openconnect_info *vpninfo, int final); int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert, char *buf); /* This one is actually OpenSSL-specific */ diff --git a/openssl.c b/openssl.c index 57653588..ab18cf98 100644 --- a/openssl.c +++ b/openssl.c @@ -1283,7 +1283,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo) return 0; } -void openconnect_close_https(struct openconnect_info *vpninfo) +void openconnect_close_https(struct openconnect_info *vpninfo, int final) { if (vpninfo->peer_cert) { X509_free(vpninfo->peer_cert); @@ -1300,6 +1300,10 @@ void openconnect_close_https(struct openconnect_info *vpninfo) FD_CLR(vpninfo->ssl_fd, &vpninfo->select_efds); vpninfo->ssl_fd = -1; } + if (final && vpninfo->https_ctx) { + SSL_CTX_free(vpninfo->https_ctx); + vpninfo->https_ctx = NULL; + } } void openconnect_init_ssl(void)