Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 28F72200CF1 for ; Mon, 28 Aug 2017 08:49:37 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 275AF163F4D; Mon, 28 Aug 2017 06:49:37 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 6ECA7163F4A for ; Mon, 28 Aug 2017 08:49:36 +0200 (CEST) Received: (qmail 71260 invoked by uid 500); 28 Aug 2017 06:49:35 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 71250 invoked by uid 99); 28 Aug 2017 06:49:34 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Aug 2017 06:49:34 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 3AE6E3A000D for ; Mon, 28 Aug 2017 06:49:32 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1806404 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml Date: Mon, 28 Aug 2017 06:49:29 -0000 To: dev@tomcat.apache.org From: rjung@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20170828064933.3AE6E3A000D@svn01-us-west.apache.org> archived-at: Mon, 28 Aug 2017 06:49:37 -0000 Author: rjung Date: Mon Aug 28 06:49:29 2017 New Revision: 1806404 URL: http://svn.apache.org/viewvc?rev=1806404&view=rev Log: Fix a small memory leak during certificate initialization. Also silence a compiler warning: SSL_CTX_set_ecdh_auto() isn't needed for OpenSSL 1.1.0 and above and using it there results in a compiler warning because the compat macro is a noop. Backport of r1735770 from mod_ssl and partial backport of r1787728 also from mod_ssl. Modified: tomcat/native/trunk/native/src/sslcontext.c tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Modified: tomcat/native/trunk/native/src/sslcontext.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1806404&r1=1806403&r2=1806404&view=diff ============================================================================== --- tomcat/native/trunk/native/src/sslcontext.c (original) +++ tomcat/native/trunk/native/src/sslcontext.c Mon Aug 28 06:49:29 2017 @@ -953,7 +953,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, const char *p; char err[256]; #ifdef HAVE_ECC - EC_GROUP *ecparams; + EC_GROUP *ecparams = NULL; int nid; EC_KEY *eckey = NULL; #endif @@ -1034,6 +1034,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, * If only for PEM files move above to the PEM handling */ if ((idx == 0) && (dhparams = SSL_dh_GetParamFromFile(cert_file))) { SSL_CTX_set_tmp_dh(c->ctx, dhparams); + DH_free(dhparams); } #ifdef HAVE_ECC @@ -1048,8 +1049,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, SSL_CTX_set_tmp_ecdh(c->ctx, eckey); } /* - * ...otherwise, configure NIST P-256 (required to enable ECDHE) + * ...otherwise, enable auto curve selection (OpenSSL 1.0.2) + * or configure NIST P-256 (required to enable ECDHE for earlier versions) + * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList */ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) else { #if defined(SSL_CTX_set_ecdh_auto) SSL_CTX_set_ecdh_auto(c->ctx, 1); @@ -1058,7 +1062,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, SSL_CTX_set_tmp_ecdh(c->ctx, eckey); #endif } +#endif + /* OpenSSL assures us that _free() is NULL-safe */ EC_KEY_free(eckey); + EC_GROUP_free(ecparams); #endif SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH); @@ -1168,6 +1175,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, /* * TODO try to read the ECDH curve name from somewhere... */ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) #if defined(SSL_CTX_set_ecdh_auto) SSL_CTX_set_ecdh_auto(c->ctx, 1); #else @@ -1176,6 +1184,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, EC_KEY_free(eckey); #endif #endif +#endif SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH); cleanup: free(key); Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1806404&r1=1806403&r2=1806404&view=diff ============================================================================== --- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Mon Aug 28 06:49:29 2017 @@ -37,6 +37,9 @@
+ Fix a small memory leak during certificate initialization. (rjung) + + Replace use of deprecated ASN1_STRING_data with ASN1_STRING_get0_data when building against OpenSSL 1.1.0 and newer. (rjung) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org