Author: rjung
Date: Mon Aug 28 06:49:29 2017
New Revision: 1806404
URL: http://svn.apache.org/viewvc?rev=1806404&view=rev
Log:
Fix a small memory leak during certificate initialization.
Also silence a compiler warning: SSL_CTX_set_ecdh_auto() isn't
needed for OpenSSL 1.1.0 and above and using it there results
in a compiler warning because the compat macro is a noop.
Backport of r1735770 from mod_ssl and partial backport of
r1787728 also from mod_ssl.
Modified:
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1806404&r1=1806403&r2=1806404&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Mon Aug 28 06:49:29 2017
@@ -953,7 +953,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
const char *p;
char err[256];
#ifdef HAVE_ECC
- EC_GROUP *ecparams;
+ EC_GROUP *ecparams = NULL;
int nid;
EC_KEY *eckey = NULL;
#endif
@@ -1034,6 +1034,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
* If only for PEM files move above to the PEM handling */
if ((idx == 0) && (dhparams = SSL_dh_GetParamFromFile(cert_file))) {
SSL_CTX_set_tmp_dh(c->ctx, dhparams);
+ DH_free(dhparams);
}
#ifdef HAVE_ECC
@@ -1048,8 +1049,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
}
/*
- * ...otherwise, configure NIST P-256 (required to enable ECDHE)
+ * ...otherwise, enable auto curve selection (OpenSSL 1.0.2)
+ * or configure NIST P-256 (required to enable ECDHE for earlier versions)
+ * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
*/
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
else {
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(c->ctx, 1);
@@ -1058,7 +1062,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
#endif
}
+#endif
+ /* OpenSSL assures us that _free() is NULL-safe */
EC_KEY_free(eckey);
+ EC_GROUP_free(ecparams);
#endif
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
@@ -1168,6 +1175,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
/*
* TODO try to read the ECDH curve name from somewhere...
*/
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(c->ctx, 1);
#else
@@ -1176,6 +1184,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
EC_KEY_free(eckey);
#endif
#endif
+#endif
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
cleanup:
free(key);
Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1806404&r1=1806403&r2=1806404&view=diff
==============================================================================
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Mon Aug 28 06:49:29
2017
@@ -37,6 +37,9 @@
<section name="Changes in 1.2.14">
<changelog>
<fix>
+ Fix a small memory leak during certificate initialization. (rjung)
+ </fix>
+ <fix>
Replace use of deprecated <code>ASN1_STRING_data</code> with
<code>ASN1_STRING_get0_data</code> when building against
OpenSSL 1.1.0 and newer. (rjung)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
