1) In other code I see
EC_KEY_free(ecdh);
after
EC_KEY *ecdh = EC_KEY_new_by_curve_name(...)
and using ecdh, e.g. in
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
Should we add the free? Or is it not needed? Anyone knows why?
This was added in r1666363:
* mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free,
otherwise eckey will not be freed.
Damn, I was working my way though old patches to port them to Tomcat
tcnative and forgot to check the current code.
2) In modules/ssl/ssl_private.h I see
/**
* The following features all depend on TLS extension support.
* Within this block, check again for features (not version numbers).
*/
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
#define HAVE_TLSEXT
I guess this was (one of) the first TLS extention added to OpenSSL,
hence OPENSSL_NO_TLSEXT was probably defined at the same time as
SSL_set_tlsext_host_name.
This code checks if extensions are not disabled (OPENSSL_NO_TLSEXT),
but that's relevent only if they exist in OpenSSL
(SSL_set_tlsext_host_name).
Should we switch the code to:
/**
* The following features all depend on TLS extension support.
* Within this block, check again for features (not version numbers).
*/
#if !defined(OPENSSL_NO_TLSEXT)
That would be true before OPENSSL_NO_TLSEXT existed...
Yup, got it.
Thanks a bunch,
Rainer
