From cf16c54ae0986a2457860d339e23e3f04ab6fe37 Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 10 Oct 2025 17:05:21 +0200
Subject: [PATCH] BUG/MINOR: ssl: Free global_ssl structure contents during
 deinit

Some fields of the global_ssl structure are strings that are strdup'ed
but never freed. There is only one static global_ssl structure so not
much memory is used but we might as well free it during deinit.

This patch can be backported to all stable branches.

(cherry picked from commit 9bc6a0349d7dc8b17e407b7360ceddd568ed3d7e)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 03ac586b529198065f8bbe055b0fb50a28b2f3f9)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 22f87b5bc3080cb24a4b7b8e984e6c2c1bf6fc38)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 src/ssl_sock.c |   37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index af33bc5..b390d7f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7613,6 +7613,41 @@ static void ssl_sock_clt_sni_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *
 	pool_free(ssl_sock_client_sni_pool, ptr);
 }
 
+static void ssl_free_global(void)
+{
+	ha_free(&global_ssl.crt_base);
+	ha_free(&global_ssl.ca_base);
+
+	ha_free(&global_ssl.issuers_chain_path);
+
+	if (global_ssl.listen_default_ciphers != LISTEN_DEFAULT_CIPHERS)
+		ha_free(&global_ssl.listen_default_ciphers);
+
+	if (global_ssl.connect_default_ciphers != CONNECT_DEFAULT_CIPHERS)
+		ha_free(&global_ssl.connect_default_ciphers);
+
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+	if (global_ssl.listen_default_ciphersuites != LISTEN_DEFAULT_CIPHERSUITES)
+		ha_free(&global_ssl.listen_default_ciphersuites);
+
+	if (global_ssl.connect_default_ciphersuites != CONNECT_DEFAULT_CIPHERSUITES)
+		ha_free(&global_ssl.connect_default_ciphersuites);
+#endif
+
+#if defined(SSL_CTX_set1_curves_list)
+	ha_free(&global_ssl.listen_default_curves);
+	ha_free(&global_ssl.connect_default_curves);
+#endif
+
+#if defined(SSL_CTX_set1_sigalgs_list)
+	ha_free(&global_ssl.listen_default_sigalgs);
+	ha_free(&global_ssl.connect_default_sigalgs);
+
+	ha_free(&global_ssl.listen_default_client_sigalgs);
+	ha_free(&global_ssl.connect_default_client_sigalgs);
+#endif
+}
+
 static void __ssl_sock_init(void)
 {
 #if (!defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION))
@@ -7717,6 +7752,8 @@ static void __ssl_sock_init(void)
 	 * ssl_sock_register_msg_callback().
 	 */
 	hap_register_post_deinit(ssl_sock_unregister_msg_callbacks);
+
+	hap_register_post_deinit(ssl_free_global);
 }
 INITCALL0(STG_REGISTER, __ssl_sock_init);
 
-- 
1.7.10.4