On 02/16/2017 11:27 PM, [email protected] wrote:
> Author: wrowe
> Date: Thu Feb 16 22:27:24 2017
> New Revision: 1783317
>
> URL: http://svn.apache.org/viewvc?rev=1783317&view=rev
> Log:
> Avoid unnecessary code (the deprecation macro wrapper itself emits unused args
> warnings) in OpenSSL 1.1.0 and avoid _free()ing NULL references.
>
>
> Modified:
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1783317&r1=1783316&r2=1783317&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Thu Feb 16 22:27:24 2017
> @@ -1320,19 +1320,24 @@ static apr_status_t ssl_init_server_cert
> OBJ_nid2sn(nid), vhost_id, certfile);
> }
> /*
> - * ...otherwise, enable auto curve selection (OpenSSL 1.0.2 and later)
> + * ...otherwise, enable auto curve selection (OpenSSL 1.0.2)
> * or configure NIST P-256 (required to enable ECDHE for earlier
> versions)
> + * ECDH is always enabled in 1.0.2 unless excluded from SSLCipherList
Shouldn't that be 1.1.0 above instead of 1.0.2?
> */
> +#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
> else {
> -#if defined(SSL_CTX_set_ecdh_auto)
> +#elif defined(SSL_CTX_set_ecdh_auto)
> SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
> #else
> eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
> SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
> #endif
> }
> - EC_KEY_free(eckey);
> - EC_GROUP_free(ecparams);
> +#endif
> + if (eckey)
> + EC_KEY_free(eckey);
> + if (ecparams)
> + EC_GROUP_free(ecparams);
> #endif
>
> return APR_SUCCESS;
>
>
>
Regards
RĂ¼diger
