httpd/backport-release-memory-to-the-OS-when-needed.patch

From 80560d29c8bc6dac44c8a7f7767e54e0ec52c5e6 Mon Sep 17 00:00:00 2001
From: Graham Leggett <minfrin@apache.org>
Date: Sat, 18 Nov 2023 11:20:14 +0000
Subject: [PATCH] Backport to v2.4:

  *) mod_ssl: release memory to the OS when needed
     Trunk version of patch:
       https://svn.apache.org/r1898410
       https://svn.apache.org/r1898366
        svn merge -c 1898366 ^/httpd/httpd/trunk .
        svn merge -c 1898410 ^/httpd/httpd/trunk .
     +1: gbechis, ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1913909 13f79535-47bb-0310-9956-ffa450edef68

Conflict:The changelog contains context adaptation and does not contain the STATUS file
Reference:https://github.com/apache/httpd/commit/80560d29c8bc6dac44c8a7f7767e54e0ec52c5e6

---
 CHANGES                         | 4 ++++
 modules/ssl/ssl_engine_init.c   | 7 ++++++-
 modules/ssl/ssl_util_ocsp.c     | 5 ++++-
 modules/ssl/ssl_util_stapling.c | 4 +++-
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4a2aa4a..518b39a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.4.59
+
+  *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
+
 Changes with Apache 2.4.58
 
   *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 3d0d0b8..e42672e 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1801,6 +1801,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208)
                      "SSL proxy client cert initialization failed");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+        sk_X509_INFO_free(sk);
         return ssl_die(s);
     }
 
@@ -1810,7 +1811,11 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
         int i;
 
         X509_INFO *inf = sk_X509_INFO_value(pkp->certs, n);
-        X509_STORE_CTX_init(sctx, store, inf->x509, NULL);
+        if (!X509_STORE_CTX_init(sctx, store, inf->x509, NULL)) {
+            sk_X509_INFO_free(sk);
+            X509_STORE_CTX_free(sctx);
+            return ssl_die(s);
+        }
 
         /* Attempt to verify the client cert */
         if (X509_verify_cert(sctx) != 1) {
diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c
index b9c8a0b..a202a72 100644
--- a/modules/ssl/ssl_util_ocsp.c
+++ b/modules/ssl/ssl_util_ocsp.c
@@ -370,8 +370,11 @@ static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
     while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
         if (!other_certs) {
                 other_certs = sk_X509_new_null();
-                if (!other_certs)
+                if (!other_certs) {
+                        X509_free(x509);
+                        BIO_free(bio);
                         return NULL;
+                }
         }
                 
         if (!sk_X509_push(other_certs, x509)) {
diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index c9d1d8e..a2ed99b 100644
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -117,8 +117,10 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
     }
 
     inctx = X509_STORE_CTX_new();
-    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
+    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) {
+        X509_STORE_CTX_free(inctx);
         return 0;
+    }
     if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
         issuer = NULL;
     X509_STORE_CTX_cleanup(inctx);
-- 
2.33.0
fix CVE-2024-24795,CVE-2023-38709,CVE-2024-27316 and sync some patches from upstream (cherry picked from commit 63648433e7db79115f79ef343c7c065bb260cbe6) 2024-05-06 20:53:55 +08:00			`From 80560d29c8bc6dac44c8a7f7767e54e0ec52c5e6 Mon Sep 17 00:00:00 2001`
			`From: Graham Leggett <minfrin@apache.org>`
			`Date: Sat, 18 Nov 2023 11:20:14 +0000`
			`Subject: [PATCH] Backport to v2.4:`

			`*) mod_ssl: release memory to the OS when needed`
			`Trunk version of patch:`
			`https://svn.apache.org/r1898410`
			`https://svn.apache.org/r1898366`
			`svn merge -c 1898366 ^/httpd/httpd/trunk .`
			`svn merge -c 1898410 ^/httpd/httpd/trunk .`
			`+1: gbechis, ylavic, jorton`



			`git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1913909 13f79535-47bb-0310-9956-ffa450edef68`

			`Conflict:The changelog contains context adaptation and does not contain the STATUS file`
			`Reference:https://github.com/apache/httpd/commit/80560d29c8bc6dac44c8a7f7767e54e0ec52c5e6`

			`---`
			`CHANGES \| 4 ++++`
			`modules/ssl/ssl_engine_init.c \| 7 ++++++-`
			`modules/ssl/ssl_util_ocsp.c \| 5 ++++-`
			`modules/ssl/ssl_util_stapling.c \| 4 +++-`
			`4 files changed, 17 insertions(+), 3 deletions(-)`

			`diff --git a/CHANGES b/CHANGES`
			`index 4a2aa4a..518b39a 100644`
			`--- a/CHANGES`
			`+++ b/CHANGES`
			`@@ -1,4 +1,8 @@`
			`-- coding: utf-8 --`
			`+Changes with Apache 2.4.59`
			`+`
			`+ *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]`
			`+`
			`Changes with Apache 2.4.58`

			`*) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:`
			`diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c`
			`index 3d0d0b8..e42672e 100644`
			`--- a/modules/ssl/ssl_engine_init.c`
			`+++ b/modules/ssl/ssl_engine_init.c`
			`@@ -1801,6 +1801,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,`
			`ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208)`
			`"SSL proxy client cert initialization failed");`
			`ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);`
			`+ sk_X509_INFO_free(sk);`
			`return ssl_die(s);`
			`}`

			`@@ -1810,7 +1811,11 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,`
			`int i;`

			`X509_INFO *inf = sk_X509_INFO_value(pkp->certs, n);`
			`- X509_STORE_CTX_init(sctx, store, inf->x509, NULL);`
			`+ if (!X509_STORE_CTX_init(sctx, store, inf->x509, NULL)) {`
			`+ sk_X509_INFO_free(sk);`
			`+ X509_STORE_CTX_free(sctx);`
			`+ return ssl_die(s);`
			`+ }`

			`/* Attempt to verify the client cert */`
			`if (X509_verify_cert(sctx) != 1) {`
			`diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c`
			`index b9c8a0b..a202a72 100644`
			`--- a/modules/ssl/ssl_util_ocsp.c`
			`+++ b/modules/ssl/ssl_util_ocsp.c`
			`@@ -370,8 +370,11 @@ static STACK_OF(X509) modssl_read_ocsp_certificates(const char file)`
			`while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {`
			`if (!other_certs) {`
			`other_certs = sk_X509_new_null();`
			`- if (!other_certs)`
			`+ if (!other_certs) {`
			`+ X509_free(x509);`
			`+ BIO_free(bio);`
			`return NULL;`
			`+ }`
			`}`

			`if (!sk_X509_push(other_certs, x509)) {`
			`diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c`
			`index c9d1d8e..a2ed99b 100644`
			`--- a/modules/ssl/ssl_util_stapling.c`
			`+++ b/modules/ssl/ssl_util_stapling.c`
			`@@ -117,8 +117,10 @@ static X509 stapling_get_issuer(modssl_ctx_t mctx, X509 *x)`
			`}`

			`inctx = X509_STORE_CTX_new();`
			`- if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))`
			`+ if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) {`
			`+ X509_STORE_CTX_free(inctx);`
			`return 0;`
			`+ }`
			`if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)`
			`issuer = NULL;`
			`X509_STORE_CTX_cleanup(inctx);`
			`--`
			`2.33.0`