Merge pull request #857 from openziti/ca-bundle-update

update bundle on TLS context

Author: ekoby

deps/CMakeLists.txt

@@ -9,7 +9,7 @@ if (NOT TARGET tlsuv)
     else ()
         FetchContent_Declare(tlsuv
                 GIT_REPOSITORY https://github.com/openziti/tlsuv.git
-                GIT_TAG v0.33.10
+                GIT_TAG v0.34.1
         )
         FetchContent_MakeAvailable(tlsuv)
     endif (tlsuv_DIR)

library/oidc.c

@@ -337,6 +337,7 @@ static void free_auth_req(auth_req *req) {
         json_tokener_free(req->json_parser);
         req->json_parser = NULL;
     }
+    FREE(req->id);
     free(req);
 }
 

library/posture.c

@@ -627,6 +627,7 @@ static void send_posture_legacy(ziti_context ztx, model_list *send_prs) {
     ZTX_LOG(TRACE, "bulk posture response: %s", body);
 
     ziti_pr_post_bulk(ztx_get_controller(ztx), body, body_len, ziti_pr_post_bulk_cb, ztx);
+    free(body);
     string_buf_free(&buf);
 }
 
@@ -1066,8 +1067,8 @@ void ziti_endpoint_state_change(ziti_context ztx, bool woken, bool unlocked) {
         size_t obj_len;
 
         char *obj = ziti_pr_endpoint_state_req_to_json(&state_req, 0, &obj_len);
-
         ziti_pr_post(ztx_get_controller(ztx), obj, obj_len, ziti_endpoint_state_pr_cb, ztx);
+        FREE(obj);
     } else {
         ZTX_LOG(INFO, "endpoint state change reported, but no reason to send data: woken[%s] unlocked[%s]", woken ? "TRUE":"FALSE", unlocked ? "TRUE":"FALSE");
     }

library/ziti.c

@@ -1583,23 +1583,15 @@ static void ca_bundle_cb(char *pkcs7, const ziti_error *err, void *ctx) {
             goto error;
         }
 
-        if (ztx->config.id.ca && strcmp(new_pem, ztx->config.id.ca) != 0) {
+        if (ztx->config.id.ca == NULL || strcmp(new_pem, ztx->config.id.ca) != 0) {
+            ztx->tlsCtx->set_ca_bundle(ztx->tlsCtx, new_pem, strlen(new_pem));
             char *old_ca = (char*)ztx->config.id.ca;
+            free(old_ca);
+
             ztx->config.id.ca = new_pem;
+            new_pem = NULL;
 
-            tls_context *new_tls = NULL;
-            tls_context *old_tls = ztx->tlsCtx;
-            if (load_tls(&ztx->config, &new_tls, &ztx->id_creds) == 0) {
-                ztx_config_update(ztx);
-                free(old_ca);
-                ztx->tlsCtx = new_tls;
-                tlsuv_http_set_ssl(ztx_get_controller(ztx)->client, ztx->tlsCtx);
-                new_pem = NULL; // owned by ztx->config
-                old_tls->free_ctx(old_tls);
-            } else {
-                ztx->config.id.ca = old_ca;
-                ZITI_LOG(ERROR, "failed to create TLS context with updated CA bundle");
-            }
+            ztx_config_update(ztx);
         }
     } else {
         ZITI_LOG(ERROR, "failed to get CA bundle from controller: %s", err->message);

library/ziti_ctrl.c

@@ -1068,7 +1068,8 @@ void ziti_pr_post(ziti_controller *ctrl, char *body, size_t body_len,
 
     tlsuv_http_req_t *req = start_request(ctrl->client, "POST", "/posture-response", ctrl_resp_cb, resp);
     tlsuv_http_req_header(req, "Content-Type", "application/json");
-    tlsuv_http_req_data(req, body, body_len, free_body_cb);
+    char *copy = strdup(body);
+    tlsuv_http_req_data(req, copy, body_len, free_body_cb);
 }
 
 void ziti_pr_post_bulk(ziti_controller *ctrl, char *body, size_t body_len,
@@ -1079,7 +1080,8 @@ void ziti_pr_post_bulk(ziti_controller *ctrl, char *body, size_t body_len,
 
     tlsuv_http_req_t *req = start_request(ctrl->client, "POST", "/posture-response-bulk", ctrl_resp_cb, resp);
     tlsuv_http_req_header(req, "Content-Type", "application/json");
-    tlsuv_http_req_data(req, body, body_len, free_body_cb);
+    char *copy = strdup(body);
+    tlsuv_http_req_data(req, copy, body_len, free_body_cb);
 }
 
 static void ctrl_paging_req(struct ctrl_resp *resp) {