From: Joe Orton <jorton@apache.org>
Date: Fri, 17 Aug 2012 11:59:45 +0000 (+0000)
Subject: * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fix test for
X-Git-Tag: 2.5.0-alpha~6421
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f30dd277714e15d89a7834726c0e8249317e3c17;p=thirdparty%2Fapache%2Fhttpd.git

* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fix test for
  missing decrypted private keys, and ensure that the keypair matches.

PR: 52212
Submitted by: Keith Burdis <keith burdis.org>, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1374214 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index ab566c34f75..bd19bd4fb91 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: Catch missing or mismatched client cert/key pairs with
+     SSLProxyCACertificateFile/Path directives.  PR 52212.  
+     [Keith Burdis <keith burdis.org>, Joe Orton]
+
   *) mod_lua: Allow scripts handled by the lua-script handler to return 
      a status code to the client (such as a 302 or a 500) [Daniel Gruno]
 
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 8cdc29a3215..72662e04654 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1381,7 +1381,7 @@ static void ssl_init_proxy_certs(server_rec *s,
     for (n = 0; n < ncerts; n++) {
         X509_INFO *inf = sk_X509_INFO_value(sk, n);
 
-        if (!inf->x509 || !inf->x_pkey) {
+        if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
             sk_X509_INFO_free(sk);
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
                          "incomplete client cert configured for SSL proxy "
@@ -1389,6 +1389,15 @@ static void ssl_init_proxy_certs(server_rec *s,
             ssl_die(s);
             return;
         }
+        
+        if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
+            ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
+                           APLOGNO(02326) "proxy client certificate and "
+                           "private key do not match");
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+            ssl_die(s);
+            return;
+        }
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
@@ -1412,6 +1421,8 @@ static void ssl_init_proxy_certs(server_rec *s,
         ssl_die(s);
     }
 
+    /* ### Why is all the following done?  Why is it necessary or
+     * useful for the server to try to verify its own client cert? */
     X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
 
     for (n = 0; n < ncerts; n++) {