This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new c8b460dd41 OpenSSL might crash here when passing null on some platforms
c8b460dd41 is described below
commit c8b460dd41545aad0994457abe18fabf856b5968
Author: remm <r...@apache.org>
AuthorDate: Fri May 17 10:51:46 2024 +0200
OpenSSL might crash here when passing null on some platforms
Also simplify code, it is best to set MemorySegment.NULL rather than
null and then check again to pass MemorySegment.NULL later.
Port from tomcat-native
---
.../tomcat/util/net/openssl/panama/OpenSSLContext.java | 14 +++++++-------
webapps/docs/changelog.xml | 4 ++++
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index b483506d19..84b75a086b 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -560,24 +560,24 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
} else {
// Client certificate verification based on trusted CA files
and dirs
MemorySegment caCertificateFileNative =
sslHostConfig.getCaCertificateFile() != null
- ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()))
: null;
+ ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()))
: MemorySegment.NULL;
MemorySegment caCertificatePathNative =
sslHostConfig.getCaCertificatePath() != null
- ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()))
: null;
+ ?
localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()))
: MemorySegment.NULL;
if ((sslHostConfig.getCaCertificateFile() != null ||
sslHostConfig.getCaCertificatePath() != null)
&& SSL_CTX_load_verify_locations(state.sslCtx,
- caCertificateFileNative == null ?
MemorySegment.NULL : caCertificateFileNative,
- caCertificatePathNative == null ?
MemorySegment.NULL : caCertificatePathNative) <= 0) {
+ caCertificateFileNative,
caCertificatePathNative) <= 0) {
logLastError("openssl.errorConfiguringLocations");
} else {
var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx);
if (MemorySegment.NULL.equals(caCerts)) {
- caCerts =
SSL_load_client_CA_file(caCertificateFileNative == null ? MemorySegment.NULL :
caCertificateFileNative);
+ caCerts =
SSL_load_client_CA_file(caCertificateFileNative);
if (!MemorySegment.NULL.equals(caCerts)) {
SSL_CTX_set_client_CA_list(state.sslCtx, caCerts);
}
} else {
- if (SSL_add_file_cert_subjects_to_stack(caCerts,
- caCertificateFileNative == null ?
MemorySegment.NULL : caCertificateFileNative) <= 0) {
+ // OpenSSL might crash here when passing null on some
platforms
+ if (MemorySegment.NULL.equals(caCertificateFileNative)
+ ||
(SSL_add_file_cert_subjects_to_stack(caCerts, caCertificateFileNative) <= 0)) {
caCerts = MemorySegment.NULL;
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9385c86de5..777667c181 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -111,6 +111,10 @@
Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer,
and use ERR_error_string_n instead. (remm)
</fix>
+ <fix>
+ Fix a crash on Windows setting CA certificate on null path.
+ (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
