Move freeing of an old enc_write_ctx/write_hash to dtls1_clear_sent_buffer

When we are clearing the sent messages queue we should ensure we free any
old enc_write_ctx/write_hash that are no longer in use. Previously this
logic was in dtls1_hm_fragment_free() - but this can end up freeing the
current enc_write_ctx/write_hash under certain error conditions.

Fixes #22664

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2261)

1 files changed, 17 insertions, 0 deletions

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 871c187a9d..6c2d4ba73e 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -130,6 +130,23 @@ void dtls1_clear_sent_buffer(SSL *s)
 
     while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
         frag = (hm_fragment *)item->data;
+
+        if (frag->msg_header.is_ccs) {
+            /*
+             * If we're freeing the CCS then we're done with the old
+             * enc_write_ctx/write_hash and they can be freed
+             */
+            if (s->enc_write_ctx
+                    != frag->msg_header.saved_retransmit_state.enc_write_ctx)
+                EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state
+                                                    .enc_write_ctx);
+
+            if (s->write_hash
+                    != frag->msg_header.saved_retransmit_state.write_hash)
+                EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state
+                                                .write_hash);
+        }
+
         dtls1_hm_fragment_free(frag);
         pitem_free(item);
     }