From: Jim Jagielski <jim@apache.org>
Date: Sat, 19 Mar 2016 13:26:25 +0000 (+0000)
Subject: Merge r1720129, r1723295, r1733088, r1733089 from trunk:
X-Git-Tag: 2.4.19~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7459fa0d6353aa4601fc0643a10cc0e806533f2;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1720129, r1723295, r1733088, r1733089 from trunk:

* mod_ssl: Free dhparams when getting DH params. This fixes issue when
  SSLCryptoDevice does not get unregistered because of non-zero refcount
  during the mod_ssl unload happening on httpd startup.


mod_ssl: follow up to r1720129.
Free ecparams read from certificate file(s) on startup.

Follow up to r1720129 and r1723295: CHANGES entry.

Rephrase r1733088 since leaking means horrible things in cryptography.
This is not a security fix :p
Submitted by: jkaluza, ylavic, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735770 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 931dbb73c45..b2364409f42 100644
--- a/CHANGES
+++ b/CHANGES
@@ -110,6 +110,9 @@
   *) core: Ensure that httpd exits with an error status when the MPM fails
      to run.  [Yann Ylavic]
 
+  *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
+     [Jan Kaluza, Yann Ylavic]
+
   *) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries
      to OCSP responders through a HTTP proxy. [Ruediger Pluem]
 
diff --git a/STATUS b/STATUS
index 532f43be1de..57047e4cefc 100644
--- a/STATUS
+++ b/STATUS
@@ -112,18 +112,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: Free dhparams when getting DH params. This fixes issue when
-     SSLCryptoDevice does not get unregistered because of non-zero refcount
-     during the mod_ssl unload happening on httpd startup.
-     trunk patch: http://svn.apache.org/r1720129
-                  http://svn.apache.org/r1723295
-                  http://svn.apache.org/r1733088
-                  http://svn.apache.org/r1733089
-     2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-dh_leaks.patch
-     +1: ylavic, icing, trawick
-     rpluem says: Can we get an updated 2.4.x proposal that includes r1723295?
-     ylavic: r1723295 + CHANGES entry now included => votes reset
-
   *) mod_deflate: follow up to r1619444 (and to r1619383). (backported in r1669555)
                   Fix counting of inflated bytes in deflate_in_filter() when
                   asked to flush
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index d158795e6ee..3704bd7230e 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1026,7 +1026,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
     X509 *cert;
     DH *dhparams;
 #ifdef HAVE_ECC
-    EC_GROUP *ecparams;
+    EC_GROUP *ecparams = NULL;
     int nid;
     EC_KEY *eckey = NULL;
 #endif
@@ -1174,6 +1174,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                      "Custom DH parameters (%d bits) for %s loaded from %s",
                      BN_num_bits(dhparams->p), vhost_id, certfile);
+        DH_free(dhparams);
     }
 
 #ifdef HAVE_ECC
@@ -1202,6 +1203,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
 #endif
     }
     EC_KEY_free(eckey);
+    EC_GROUP_free(ecparams);
 #endif
 
     return APR_SUCCESS;