This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 6435647905 OpenSSL might crash here when passing null on some platforms
6435647905 is described below
commit 64356479050872916ca43a0cb73dfd413667106e
Author: remm <r...@apache.org>
AuthorDate: Fri May 17 10:51:46 2024 +0200
OpenSSL might crash here when passing null on some platforms
Also simplify code, it is best to set MemorySegment.NULL rather than
null and then check again to pass MemorySegment.NULL later.
Port from tomcat-native
---
.../tomcat/util/net/openssl/panama/OpenSSLContext.java | 14 +++++++-------
webapps/docs/changelog.xml | 4 ++++
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index b483506d19..84b75a086b 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -560,24 +560,24 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
} else {
// Client certificate verification based on trusted CA files
and dirs
MemorySegment caCertificateFileNative =
sslHostConfig.getCaCertificateFile() != null
- ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()))
: null;
+ ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()))
: MemorySegment.NULL;
MemorySegment caCertificatePathNative =
sslHostConfig.getCaCertificatePath() != null
- ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()))
: null;
+ ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()))
: MemorySegment.NULL;
if ((sslHostConfig.getCaCertificateFile() != null ||
sslHostConfig.getCaCertificatePath() != null)
&& SSL_CTX_load_verify_locations(state.sslCtx,
- caCertificateFileNative == null ?
MemorySegment.NULL : caCertificateFileNative,
- caCertificatePathNative == null ?
MemorySegment.NULL : caCertificatePathNative) <= 0) {
+ caCertificateFileNative,
caCertificatePathNative) <= 0) {
logLastError("openssl.errorConfiguringLocations");
} else {
var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx);
if (MemorySegment.NULL.equals(caCerts)) {
- caCerts =
SSL_load_client_CA_file(caCertificateFileNative == null ? MemorySegment.NULL :
caCertificateFileNative);
+ caCerts =
SSL_load_client_CA_file(caCertificateFileNative);
if (!MemorySegment.NULL.equals(caCerts)) {
SSL_CTX_set_client_CA_list(state.sslCtx, caCerts);
}
} else {
- if (SSL_add_file_cert_subjects_to_stack(caCerts,
- caCertificateFileNative == null ?
MemorySegment.NULL : caCertificateFileNative) <= 0) {
+ // OpenSSL might crash here when passing null on some
platforms
+ if (MemorySegment.NULL.equals(caCertificateFileNative)
+ ||
(SSL_add_file_cert_subjects_to_stack(caCerts, caCertificateFileNative) <= 0)) {
caCerts = MemorySegment.NULL;
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 959d0824f4..9b8066ddd3 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -111,6 +111,10 @@
Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer,
and use ERR_error_string_n instead. (remm)
</fix>
+ <fix>
+ Fix a crash on Windows setting CA certificate on null path.
+ (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
