AW: svn commit: r1682074 - in /httpd/httpd/branches/2.4.x: ./ STATUS modules/ssl/ssl_engine_init.c

[Plüm, Rüdiger, Vodafone Group <ru...@vodafone.com>]

> -----Ursprüngliche Nachricht-----
> Von: Christophe Jaillet <ch...@wanadoo.fr>
> Gesendet: Samstag, 30. Juni 2018 14:08
> An: dev@httpd.apache.org
> Betreff: Re: svn commit: r1682074 - in /httpd/httpd/branches/2.4.x: ./
> STATUS modules/ssl/ssl_engine_init.c
> 
> Le 27/05/2015 à 18:33, wrowe@apache.org a écrit :
> > Author: wrowe
> > Date: Wed May 27 16:33:10 2015
> > New Revision: 1682074
> >
> > URL: http://svn.apache.org/r1682074
> > Log:
> > mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is
> used.
> > SSL_CTX_set_tmp_ecdh increases reference count, so we have to call
> > EC_KEY_free, otherwise eckey will not be freed.
> >
> > Backports: r1666363
> > Author: jkaluza
> > Reviewed by: rjung, ylavic, wrowe
> >
> 
> Hi,
> 
> This backport looks incomplete.
> 
> In the original patch (r1666363) we have:
> @@ -1151,10 +1151,11 @@
>   #if defined(SSL_CTX_set_ecdh_auto)
>           SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
>   #else
> -        SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
> -
> EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
> +        eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
> +        SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
> which is not in the backported code. (neither in the .patch file, nor in
> the backport itself)
> 
> Was it intentional or should the missing part be also backported?
> My feeling is that it should be merged.

I agree that this part should be merged as well.

Regards

Rüdiger