fix a memory leak in mod_ssl and take maintainership

ok sthen@ on a similar diff
2020-04-17 16:26:32 +00:00 · 2020-04-17 16:26:32 +00:00 · 80372f34c7
commit 80372f34c7
parent 5a6bb98f65
2 changed files with 90 additions and 1 deletions
--- a/www/apache-httpd/Makefile
+++ b/www/apache-httpd/Makefile
@ -1,13 +1,16 @@
-# $OpenBSD: Makefile,v 1.102 2020/03/31 14:30:33 sthen Exp $
+# $OpenBSD: Makefile,v 1.103 2020/04/17 16:26:32 giovanni Exp $

 COMMENT=		apache HTTP server

 V=			2.4.43
 DISTNAME=		httpd-${V}
 PKGNAME=		apache-httpd-${V}
+REVISION=		0

 CATEGORIES=		www net

+MAINTAINER=		Giovanni Bechis <giovanni@openbsd.org>
+
 HOMEPAGE=		https://httpd.apache.org/

 # Apache 2.0
--- a/www/apache-httpd/patches/patch-modules_ssl_ssl_util_stapling_c
+++ b/www/apache-httpd/patches/patch-modules_ssl_ssl_util_stapling_c
@ -0,0 +1,86 @@
+$OpenBSD: patch-modules_ssl_ssl_util_stapling_c,v 1.1 2020/04/17 16:26:32 giovanni Exp $
+
+Memory leak in mod_ssl 
+https://svn.apache.org/viewvc?view=revision&revision=1876548
+https://bz.apache.org/bugzilla/show_bug.cgi?id=63687
+
+Index: modules/ssl/ssl_util_stapling.c
+--- modules/ssl/ssl_util_stapling.c.orig
+++ modules/ssl/ssl_util_stapling.c
+@@ -134,6 +134,7 @@ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *
+     X509 *issuer = NULL;
+     OCSP_CERTID *cid = NULL;
+     STACK_OF(OPENSSL_STRING) *aia = NULL;
+    int rv = 1; /* until further notice */
+ 
+     if (x == NULL)
+         return 0;
+@@ -158,16 +159,18 @@ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *
+             SSL_CTX_set_tlsext_status_cb(mctx->ssl_ctx, stapling_cb);
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10177) "OCSP stapling added via hook");
+         }
+-        return 1;
+        goto cleanup;
+     }
+     
+     if (mctx->stapling_enabled != TRUE) {
+         /* mod_ssl's own implementation is not enabled */
+-        return 1;
+        goto cleanup;
+     }
+     
+-    if (X509_digest(x, EVP_sha1(), idx, NULL) != 1)
+-        return 0;
+    if (X509_digest(x, EVP_sha1(), idx, NULL) != 1) {
+        rv = 0;
+        goto cleanup;
+    }
+ 
+     cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
+     if (cinf) {
+@@ -181,18 +184,18 @@ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *
+                            APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI "
+                            "in certificate and no SSLStaplingForceURL "
+                            "configured for server %s", mctx->sc->vhost_id);
+-            return 0;
+            rv = 0;
+         }
+-        return 1;
+        goto cleanup;
+     }
+ 
+     cid = OCSP_cert_to_id(NULL, x, issuer);
+-    X509_free(issuer);
+     if (!cid) {
+         ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815)
+                        "ssl_stapling_init_cert: can't create CertID "
+                        "for OCSP request");
+-        return 0;
+        rv = 0;
+        goto cleanup;
+     }
+ 
+     aia = X509_get1_ocsp(x);
+@@ -201,7 +204,8 @@ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *
+         ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
+                        APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "
+                        "in certificate and no SSLStaplingForceURL set");
+-        return 0;
+        rv = 0;
+        goto cleanup;
+     }
+ 
+     /* At this point, we have determined that there's something to store */
+@@ -222,8 +226,10 @@ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *
+                    mctx->sc->vhost_id);
+ 
+     apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);
+-    
+-    return 1;
+
+cleanup:
+    X509_free(issuer);
+    return rv;
+ }
+ 
+ static certinfo *stapling_get_certinfo(server_rec *s, X509 *x, modssl_ctx_t *mctx,