(fbf92085) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

EVP_PKEY_free() is refcounted on OpenSSL, but NOT under RSA SSL-C. Eliminate a number of test failures by conditionally reverting rev 1.79 pubkey handling in ssl_engine_kernel.c, except under OpenSSL. Also revert a rev 1.79 bogisity for all toolkits; it's entirely bogus to release a refcount after setting aside the results in a persistant structure, in this case sslconn->client_cert from SSL_get_peer_certificate() mustn't be freed while sslconn is still in play. The proper patch (not written yet) is to invoke the X509_free(sslconn->client_cert) when we cleanup the sslconn structure. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99250 13f79535-47bb-0310-9956-ffa450edef68

ssl_engine_kernel.c

+7 −8

Original line number	Diff line number	Diff line
		@@ -730,7 +730,6 @@ int ssl_hook_Access(request_rec *r)
		if ((cert = SSL_get_peer_certificate(ssl))) {
		sslconn->client_cert = cert;
		sslconn->client_dn = NULL;
		X509_free(cert);
		}

		/*
		@@ -1409,21 +1408,21 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX ctx, conn_rec c)
		* Verify the signature on this CRL
		*/
		pubkey = X509_get_pubkey(cert);
		if (X509_CRL_verify(crl, pubkey) <= 0) {
		rc = X509_CRL_verify(crl, pubkey);
		#ifdef OPENSSL_VERSION_NUMBER
		/* Only refcounted in OpenSSL */
		if (pubkey)
		EVP_PKEY_free(pubkey);
		#endif
		if (rc <= 0) {
		ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
		"Invalid signature on CRL");

		X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
		X509_OBJECT_free_contents(&obj);
		if (pubkey)
		EVP_PKEY_free(pubkey);

		return FALSE;
		}

		if (pubkey)
		EVP_PKEY_free(pubkey);

		/*
		* Check date of CRL to make sure it's not expired
		*/

Admin message