[release/3.1] release existingTrust to avoid native memory leak in ssl handshake on macOS

[wfurt]

This is port of dotnet/runtime#41657 to fix dotnet/runtime#34080

Summary

There is memory leak inside of AppleCryptoNative_SslIsHostnameMatch() function which is used to verify peer's name in every client TLS handshake on macOS. There is no workaround and if running long enough, .NET will consume all available memory and crash. The SecTrustRef is internal structure and holds additional objects - like URL of OCSP or CRL responder so leaked memory is bigger than small.

Customer Impact

We have worked with a major customer who has been hitting this leak in an app that they intend to widely deploy within their organization (10K”s of deployments). They are encountering this leak and it is blocking their deployment. They have attempted to work around it by restarting the app when their memory consumption reaches a threshold but this workaround is not sustainable for them at scale so they are seeking a fix backported to 3.1 LTS.

Regression?

no.

Testing

the fix was verified with Apple's development tools e.g. leaks utility

Risk

low. This releases structure we obtained via SSLCopyPeerTrust and it does not change any flow.

cc: @danmosemsft

[danmoseley]

@wfurt did the customer verify with a private binary that this fixes the problem for them?

[wfurt]

I asked on the AWS SDK dotnet/runtime#37318 thread. I will follow-up with support if they don't respond promptly.

[leecow]

Awaiting feedback from customer.

[danmoseley]

Tactics asked that we wait for the customer acknowledgement that this fixes it for them - but if we don't hear back by 9/18 we should merge it anyway to catch 3.1.9

[Anipik]

@wfurt any update from the customer on this one ?

[wfurt]

no, but they got details they asked for today. We asked them if they can finish verification by Friday but I did not see response yet.

[Anipik]

Okay, we can wait another day and then merge it tomorrow.