test2500: valgrind reports SSL_SESSION leak

[alebastr]

I did this

As a part of Fedora package build, we run curl tests under valgrind.
Recently I attempted to enable HTTP/3 support (ngtcp2 + nghttp3 + ossl crypto) and observed the following error during execution of all available HTTP/3 tests (2500-2503):

 ==31241== 7,689 (1,856 direct, 5,833 indirect) bytes in 2 blocks are definitely lost in loss record 983 of 998
 ==31241==    at 0x4873B26: malloc (vg_replace_malloc.c:447)
 ==31241==    by 0x4F9EA7D: CRYPTO_malloc (mem.c:211)
 ==31241==    by 0x4DA722A: ssl_session_dup_intern.lto_priv.0 (ssl_sess.c:140)
 ==31241==    by 0x4E0FA39: ssl_session_dup (ssl_sess.c:283)
 ==31241==    by 0x4E0FA39: tls_process_new_session_ticket (statem_clnt.c:2769)
 ==31241==    by 0x4E0FA39: ossl_statem_client_process_message (statem_clnt.c:1136)
 ==31241==    by 0x4E05E6B: read_state_machine (statem.c:689)
 ==31241==    by 0x4E05E6B: state_machine (statem.c:483)
 ==31241==    by 0x4DE99E9: ssl3_read_bytes (rec_layer_s3.c:1031)
 ==31241==    by 0x4D88207: ssl3_read_internal.part.0 (s3_lib.c:4666)
 ==31241==    by 0x4D93D8A: SSL_read (ssl_lib.c:2393)
 ==31241==    by 0x4BA1B88: ngtcp2_crypto_read_write_crypto_data (ossl.c:891)
 ==31241==    by 0x4BA424A: ngtcp2_crypto_recv_crypto_data_cb (shared.c:1718)
 ==31241==    by 0x4BB3C50: conn_call_recv_crypto_data.lto_priv.0 (ngtcp2_conn.c:150)
 ==31241==    by 0x4BBF383: conn_recv_crypto (ngtcp2_conn.c:7275)
 ==31241==    by 0x4BC4FAD: conn_recv_pkt (ngtcp2_conn.c:9557)
 ==31241==    by 0x4BC9D6D: conn_recv_cpkt (ngtcp2_conn.c:9968)
 ==31241==    by 0x4BC9D6D: ngtcp2_conn_read_pkt_versioned (ngtcp2_conn.c:10337)
 ==31241==    by 0x4939C0A: cf_ngtcp2_recv_pkts (curl_ngtcp2.c:1762)
 ==31241==    by 0x493E232: recvmmsg_packets.constprop.0 (vquic.c:457)

This points to a leaking SSL_SESSION object. After a short investigation, I found that:

• ossl_new_session_cb in lib/vtls/openssl.c calls Curl_ossl_add_session and returns 0.
• quic_ossl_new_session_cb in lib/vquic/curl_ngtcp2.c calls Curl_ossl_add_session and returns 1.

1 tells the OpenSSL that the app code will keep a reference to SSL_SESSION and SSL_SESSION_free it at the right moment. That's obviously not what Curl_ossl_add_session does, so unless I'm missing something quic_ossl_new_session_cb should return 0.

I expected the following

No response

curl/libcurl version

curl 8.17.0 (x86_64-redhat-linux-gnu) libcurl/8.17.0 OpenSSL/3.5.4 zlib/1.3.1.zlib-ng brotli/1.1.0 libidn2/2.3.8 libpsl/0.21.5 libssh/0.11.3/openssl/zlib nghttp2/1.68.0 ngtcp2/1.18.0 nghttp3/1.13.1 mit-krb5/1.21.3 OpenLDAP/2.6.10
Release-Date: 2025-11-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets

operating system

Fedora rawhide (44)

[alebastr]

For the context, Curl_ossl_add_session behavior and the return status of ossl_new_session_cb was changed in a2bcec0.

[icing]

Thanks for the report and the correct analysis. I propose #19718 as fix for this.

It's obvious we need to add valgrind CI jobs for HTTP/3.