tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rj...@apache.org
Subject svn commit: r1806404 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
Date Mon, 28 Aug 2017 06:49:29 GMT
Author: rjung
Date: Mon Aug 28 06:49:29 2017
New Revision: 1806404

URL: http://svn.apache.org/viewvc?rev=1806404&view=rev
Log:
Fix a small memory leak during certificate initialization.

Also silence a compiler warning: SSL_CTX_set_ecdh_auto() isn't
needed for OpenSSL 1.1.0 and above and using it there results
in a compiler warning because the compat macro is a noop.

Backport of r1735770 from mod_ssl and partial backport of
r1787728 also from mod_ssl.

Modified:
    tomcat/native/trunk/native/src/sslcontext.c
    tomcat/native/trunk/xdocs/miscellaneous/changelog.xml

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1806404&r1=1806403&r2=1806404&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Mon Aug 28 06:49:29 2017
@@ -953,7 +953,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
     const char *p;
     char err[256];
 #ifdef HAVE_ECC
-    EC_GROUP *ecparams;
+    EC_GROUP *ecparams = NULL;
     int nid;
     EC_KEY *eckey = NULL;
 #endif
@@ -1034,6 +1034,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
      * If only for PEM files move above to the PEM handling */
     if ((idx == 0) && (dhparams = SSL_dh_GetParamFromFile(cert_file))) {
         SSL_CTX_set_tmp_dh(c->ctx, dhparams);
+        DH_free(dhparams);
     }
 
 #ifdef HAVE_ECC
@@ -1048,8 +1049,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
         SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
     }
     /*
-     * ...otherwise, configure NIST P-256 (required to enable ECDHE)
+     * ...otherwise, enable auto curve selection (OpenSSL 1.0.2)
+     * or configure NIST P-256 (required to enable ECDHE for earlier versions)
+     * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
      */
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
     else {
 #if defined(SSL_CTX_set_ecdh_auto)
         SSL_CTX_set_ecdh_auto(c->ctx, 1);
@@ -1058,7 +1062,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
         SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
 #endif
     }
+#endif
+    /* OpenSSL assures us that _free() is NULL-safe */
     EC_KEY_free(eckey);
+    EC_GROUP_free(ecparams);
 #endif
     SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
 
@@ -1168,6 +1175,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
     /*
      * TODO try to read the ECDH curve name from somewhere...
      */
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 #if defined(SSL_CTX_set_ecdh_auto)
     SSL_CTX_set_ecdh_auto(c->ctx, 1);
 #else
@@ -1176,6 +1184,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
     EC_KEY_free(eckey);
 #endif
 #endif
+#endif
     SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
 cleanup:
     free(key);

Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1806404&r1=1806403&r2=1806404&view=diff
==============================================================================
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Mon Aug 28 06:49:29 2017
@@ -37,6 +37,9 @@
 <section name="Changes in 1.2.14">
   <changelog>
     <fix>
+      Fix a small memory leak during certificate initialization. (rjung)
+    </fix>
+    <fix>
       Replace use of deprecated <code>ASN1_STRING_data</code> with
       <code>ASN1_STRING_get0_data</code> when building against
       OpenSSL 1.1.0 and newer. (rjung)



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message