From 80560d29c8bc6dac44c8a7f7767e54e0ec52c5e6 Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Sat, 18 Nov 2023 11:20:14 +0000 Subject: [PATCH] Backport to v2.4: *) mod_ssl: release memory to the OS when needed Trunk version of patch: https://svn.apache.org/r1898410 https://svn.apache.org/r1898366 svn merge -c 1898366 ^/httpd/httpd/trunk . svn merge -c 1898410 ^/httpd/httpd/trunk . +1: gbechis, ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1913909 13f79535-47bb-0310-9956-ffa450edef68 Conflict:The changelog contains context adaptation and does not contain the STATUS file Reference:https://github.com/apache/httpd/commit/80560d29c8bc6dac44c8a7f7767e54e0ec52c5e6 --- CHANGES | 4 ++++ modules/ssl/ssl_engine_init.c | 7 ++++++- modules/ssl/ssl_util_ocsp.c | 5 ++++- modules/ssl/ssl_util_stapling.c | 4 +++- 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 4a2aa4a..518b39a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.59 + + *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis] + Changes with Apache 2.4.58 *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126: diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 3d0d0b8..e42672e 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1801,6 +1801,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208) "SSL proxy client cert initialization failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + sk_X509_INFO_free(sk); return ssl_die(s); } @@ -1810,7 +1811,11 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, int i; X509_INFO *inf = sk_X509_INFO_value(pkp->certs, n); - X509_STORE_CTX_init(sctx, store, inf->x509, NULL); + if (!X509_STORE_CTX_init(sctx, store, inf->x509, NULL)) { + sk_X509_INFO_free(sk); + X509_STORE_CTX_free(sctx); + return ssl_die(s); + } /* Attempt to verify the client cert */ if (X509_verify_cert(sctx) != 1) { diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index b9c8a0b..a202a72 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -370,8 +370,11 @@ static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file) while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { if (!other_certs) { other_certs = sk_X509_new_null(); - if (!other_certs) + if (!other_certs) { + X509_free(x509); + BIO_free(bio); return NULL; + } } if (!sk_X509_push(other_certs, x509)) { diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index c9d1d8e..a2ed99b 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -117,8 +117,10 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) } inctx = X509_STORE_CTX_new(); - if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) + if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) { + X509_STORE_CTX_free(inctx); return 0; + } if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0) issuer = NULL; X509_STORE_CTX_cleanup(inctx); -- 2.33.0