httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rpl...@apache.org
Subject svn commit: r1597349 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Date Sat, 24 May 2014 20:28:57 GMT
Author: rpluem
Date: Sat May 24 20:28:56 2014
New Revision: 1597349

URL: http://svn.apache.org/r1597349
Log:
* Hand out the same DH structure in ssl_callback_TmpDH set by
  SSL_CTX_set_tmp_dh_callback though once generated as we leak
  memory otherwise and freeing the structure up after use would be
  hard to track and in fact is not needed at all as it is safe to
  use the same parameters over and over again security wise (in
  contrast to the keys itself) and code safe as the returned structure
  is duplicated by OpenSSL anyway. Hence no modification happens
  to our copy.

Observed by: rjung
Reviewed by: kbrand

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1597349&r1=1597348&r2=1597349&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat May 24 20:28:56 2014
@@ -1313,20 +1313,33 @@ const authz_provider ssl_authz_provider_
 /*
  * Grab well-defined DH parameters from OpenSSL, see <openssl/bn.h>
  * (get_rfc*) for all available primes.
+ * Hand out the same DH structure though once generated as we leak
+ * memory otherwise and freeing the structure up after use would be
+ * hard to track and in fact is not needed at all as it is safe to
+ * use the same parameters over and over again security wise (in
+ * contrast to the keys itself) and code safe as the returned structure
+ * is duplicated by OpenSSL anyway. Hence no modification happens
+ * to our copy.
  */
 #define make_get_dh(rfc,size,gen) \
 static DH *get_dh##size(void) \
 { \
-    DH *dh; \
-    if (!(dh = DH_new())) { \
+    static DH *dh = NULL; \
+    DH *dh_tmp; \
+\
+    if (dh) { \
+        return dh; \
+    } \
+    if (!(dh_tmp = DH_new())) { \
         return NULL; \
     } \
-    dh->p = get_##rfc##_prime_##size(NULL); \
-    BN_dec2bn(&dh->g, #gen); \
-    if (!dh->p || !dh->g) { \
-        DH_free(dh); \
+    dh_tmp->p = get_##rfc##_prime_##size(NULL); \
+    BN_dec2bn(&dh_tmp->g, #gen); \
+    if (!dh_tmp->p || !dh_tmp->g) { \
+        DH_free(dh_tmp); \
         return NULL; \
     } \
+    dh = dh_tmp; \
     return dh; \
 }
 



Mime
View raw message