(tomcat) branch 11.0.x updated: Free private keys after use

Wed, 08 Apr 2026 08:48:11 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new b974670ca2 Free private keys after use
b974670ca2 is described below

commit b974670ca2d6485e3532fba2a8b8ec0dca670f39
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Apr 8 16:47:31 2026 +0100

    Free private keys after use
---
 java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 4 ++++
 webapps/docs/changelog.xml                                         | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 208d30b508..95a9c54749 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -1082,8 +1082,10 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 X509_free(cert);
                 if (SSL_CTX_use_PrivateKey(state.sslCtx, key) <= 0) {
                     logLastError("openssl.errorLoadingPrivateKey");
+                    EVP_PKEY_free(key);
                     return false;
                 }
+                EVP_PKEY_free(key);
                 if (SSL_CTX_check_private_key(state.sslCtx) <= 0) {
                     logLastError("openssl.errorPrivateKeyCheck");
                     return false;
@@ -1262,8 +1264,10 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 X509_free(x509cert);
                 if (SSL_CTX_use_PrivateKey(state.sslCtx, privateKeyAddress) <= 
0) {
                     logLastError("openssl.errorLoadingPrivateKey");
+                    EVP_PKEY_free(privateKeyAddress);
                     return false;
                 }
+                EVP_PKEY_free(privateKeyAddress);
                 if (SSL_CTX_check_private_key(state.sslCtx) <= 0) {
                     logLastError("openssl.errorPrivateKeyCheck");
                     return false;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 36e4857873..fbca3a0ef4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -159,6 +159,10 @@
         Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields
         not permitted in trailers. (markt)
       </fix>
+      <fix>
+        Free private keys after use in FFM based connector configuration.
+        (markt) 
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to