From f2b610bc53df8e759d48a8b4a71a83bee8035513 Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Sat, 5 Apr 2003 18:36:56 +0000 Subject: [PATCH] EVP_PKEY_free() is refcounted on OpenSSL, but NOT under RSA SSL-C. Eliminate a number of test failures by conditionally reverting rev 1.79 pubkey handling in ssl_engine_kernel.c, except under OpenSSL. Also revert a rev 1.79 bogisity for all toolkits; it's entirely bogus to release a refcount after setting aside the results in a persistant structure, in this case sslconn->client_cert from SSL_get_peer_certificate() mustn't be freed while sslconn is still in play. The proper patch (not written yet) is to invoke the X509_free(sslconn->client_cert) when we cleanup the sslconn structure. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99250 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index e1520e4434..dfcd5e5f59 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -730,7 +730,6 @@ int ssl_hook_Access(request_rec *r) if ((cert = SSL_get_peer_certificate(ssl))) { sslconn->client_cert = cert; sslconn->client_dn = NULL; - X509_free(cert); } /* @@ -1409,21 +1408,21 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) * Verify the signature on this CRL */ pubkey = X509_get_pubkey(cert); - if (X509_CRL_verify(crl, pubkey) <= 0) { + rc = X509_CRL_verify(crl, pubkey); +#ifdef OPENSSL_VERSION_NUMBER + /* Only refcounted in OpenSSL */ + if (pubkey) + EVP_PKEY_free(pubkey); +#endif + if (rc <= 0) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "Invalid signature on CRL"); X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); X509_OBJECT_free_contents(&obj); - if (pubkey) - EVP_PKEY_free(pubkey); - return FALSE; } - if (pubkey) - EVP_PKEY_free(pubkey); - /* * Check date of CRL to make sure it's not expired */ -- 2.40.0