Google Git
Sign in
apache / tomcat / refs/heads/10.1.x^! / .
commit64356479050872916ca43a0cb73dfd413667106e[log] [tgz]
authorremm <remm@apache.org>Fri May 17 10:51:46 2024 +0200
committerremm <remm@apache.org>Fri May 17 10:53:04 2024 +0200
tree3b84ee4e32852e4b215194747d3723c43c0d702c
parentbaa0ebcf6d8b1620cf376cf2c09d34abd0495643 [diff]
OpenSSL might crash here when passing null on some platforms

Also simplify code, it is best to set MemorySegment.NULL rather than
null and then check again to pass MemorySegment.NULL later.
Port from tomcat-native
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index b483506..84b75a0 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java

@@ -560,24 +560,24 @@
             } else {
                 // Client certificate verification based on trusted CA files and dirs
                 MemorySegment caCertificateFileNative = sslHostConfig.getCaCertificateFile() != null
-                        ? localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile())) : null;
+                        ? localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile())) : MemorySegment.NULL;
                 MemorySegment caCertificatePathNative = sslHostConfig.getCaCertificatePath() != null
-                        ? localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath())) : null;
+                        ? localArena.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath())) : MemorySegment.NULL;
                 if ((sslHostConfig.getCaCertificateFile() != null || sslHostConfig.getCaCertificatePath() != null)
                         && SSL_CTX_load_verify_locations(state.sslCtx,
-                                caCertificateFileNative == null ? MemorySegment.NULL : caCertificateFileNative,
-                                caCertificatePathNative == null ? MemorySegment.NULL : caCertificatePathNative) <= 0) {
+                                caCertificateFileNative, caCertificatePathNative) <= 0) {
                     logLastError("openssl.errorConfiguringLocations");
                 } else {
                     var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx);
                     if (MemorySegment.NULL.equals(caCerts)) {
-                        caCerts = SSL_load_client_CA_file(caCertificateFileNative == null ? MemorySegment.NULL : caCertificateFileNative);
+                        caCerts = SSL_load_client_CA_file(caCertificateFileNative);
                         if (!MemorySegment.NULL.equals(caCerts)) {
                             SSL_CTX_set_client_CA_list(state.sslCtx, caCerts);
                         }
                     } else {
-                        if (SSL_add_file_cert_subjects_to_stack(caCerts,
-                                caCertificateFileNative == null ? MemorySegment.NULL : caCertificateFileNative) <= 0) {
+                        // OpenSSL might crash here when passing null on some platforms
+                        if (MemorySegment.NULL.equals(caCertificateFileNative)
+                                || (SSL_add_file_cert_subjects_to_stack(caCerts, caCertificateFileNative) <= 0)) {
                             caCerts = MemorySegment.NULL;
                         }
                     }

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 959d082..9b8066d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml

@@ -111,6 +111,10 @@
         Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer,
         and use ERR_error_string_n instead. (remm)
       </fix>
+      <fix>
+        Fix a crash on Windows setting CA certificate on null path.
+        (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">