From: Joe Orton <jorton@apache.org>
Date: Tue, 8 May 2018 12:50:26 +0000 (+0000)
Subject: * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Add error
X-Git-Tag: 2.5.0-alpha2-ci-test-only~2619
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=acd5236f9096c3342ddea999c5a97193ee9da203;p=thirdparty%2Fapache%2Fhttpd.git

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Add error
  logno. Free EVP_PKEY in engine case.  Never try reading ECDH/DH
  parameters from engine ids.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1831173 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 75879326c48..514825f9145 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1302,7 +1302,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
 
             if (cert) {
                 if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) {
-                    ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
+                    ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137)
                                  "Failed to configure engine certificate %s, check %s",
                                  key_id, certfile);
                     ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
@@ -1320,6 +1320,9 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
                 return APR_EGENERAL;
             }
+
+            /* SSL_CTX now owns the key */
+            EVP_PKEY_free(pkey);
         }
         else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
                                               SSL_FILETYPE_PEM) < 1)
@@ -1412,8 +1415,9 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
     /*
      * Try to read DH parameters from the (first) SSLCertificateFile
      */
-    if ((certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *)) &&
-        (dhparams = ssl_dh_GetParamFromFile(certfile))) {
+    certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
+    if (certfile && !modssl_is_engine_id(certfile)
+        && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
         SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                      "Custom DH parameters (%d bits) for %s loaded from %s",
@@ -1425,10 +1429,10 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
     /*
      * Similarly, try to read the ECDH curve name from SSLCertificateFile...
      */
-    if ((certfile != NULL) && 
-        (ecparams = ssl_ec_GetParamFromFile(certfile)) &&
-        (nid = EC_GROUP_get_curve_name(ecparams)) &&
-        (eckey = EC_KEY_new_by_curve_name(nid))) {
+    if (certfile && !modssl_is_engine_id(certfile)
+        && (ecparams = ssl_ec_GetParamFromFile(certfile))
+        && (nid = EC_GROUP_get_curve_name(ecparams)) 
+        && (eckey = EC_KEY_new_by_curve_name(nid))) {
         SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541)
                      "ECDH curve %s for %s specified in %s",