(Darwin) Fix leak on setting unsupported cipher pref (#757)

xiazhvera · web-flow · commit 9b8d716b3b12 · 2025-09-29T16:14:59.000-07:00
diff --git a/source/darwin/secure_transport_tls_channel_handler.c b/source/darwin/secure_transport_tls_channel_handler.c
@@ -1071,14 +1071,14 @@ static void s_aws_secure_transport_ctx_destroy(struct secure_transport_ctx *secu
 }
 
 static struct aws_tls_ctx *s_tls_ctx_new(struct aws_allocator *alloc, const struct aws_tls_ctx_options *options) {
-    struct secure_transport_ctx *secure_transport_ctx = aws_mem_calloc(alloc, 1, sizeof(struct secure_transport_ctx));
-
     if (!aws_tls_is_cipher_pref_supported(options->cipher_pref)) {
         aws_raise_error(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED);
         AWS_LOGF_ERROR(AWS_LS_IO_TLS, "static: TLS Cipher Preference is not supported: %d.", options->cipher_pref);
         return NULL;
     }
 
+    struct secure_transport_ctx *secure_transport_ctx = aws_mem_calloc(alloc, 1, sizeof(struct secure_transport_ctx));
+
     secure_transport_ctx->wrapped_allocator = aws_wrapped_cf_allocator_new(alloc);
     if (!secure_transport_ctx->wrapped_allocator) {
         goto cleanup_secure_transport_ctx;
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -290,6 +290,8 @@ if(NOT BYO_CRYPTO)
     add_net_test_case(alpn_successfully_negotiates)
     add_net_test_case(alpn_no_protocol_message)
     add_net_test_case(test_ecc_cert_import)
+
+    add_test_case(test_tls_cipher_preference)
 if(NOT AWS_USE_SECITEM)
     # These tests require the test binary to be codesigned with an Apple Developer account with entitlements.
     # The entitlements also require a provisioning profile and require the binary to be run from within XCode or a
diff --git a/tests/tls_handler_test.c b/tests/tls_handler_test.c
@@ -2718,4 +2718,31 @@ static int s_test_pkcs8_import(struct aws_allocator *allocator, void *ctx) {
 
 AWS_TEST_CASE(test_pkcs8_import, s_test_pkcs8_import)
 
+static int s_test_tls_cipher_preference_fn(struct aws_allocator *allocator, void *ctx) {
+    (void)ctx;
+    aws_io_library_init(allocator);
+
+    struct aws_tls_ctx_options tls_options;
+    aws_tls_ctx_options_init_default_client(&tls_options, allocator);
+
+    aws_tls_ctx_options_set_tls_cipher_preference(&tls_options, AWS_IO_TLS_CIPHER_PREF_TLSV1_2_2025_07);
+    /* Creating tls context */
+    struct aws_tls_ctx *tls_context = aws_tls_client_ctx_new(allocator, &tls_options);
+#    ifdef USE_S2N
+    ASSERT_NOT_NULL(tls_context);
+    aws_tls_ctx_release(tls_context);
+#    else
+    /* The cipher suite currently only available with S2N */
+    ASSERT_NULL(tls_context);
+    ASSERT_INT_EQUALS(AWS_IO_TLS_CIPHER_PREF_UNSUPPORTED, aws_last_error());
+#    endif
+
+    aws_tls_ctx_options_clean_up(&tls_options);
+    aws_io_library_clean_up();
+
+    return AWS_OP_SUCCESS;
+}
+
+AWS_TEST_CASE(test_tls_cipher_preference, s_test_tls_cipher_preference_fn)
+
 #endif /* BYO_CRYPTO */
