https://issues.redhat.com/browse/RHEL-36755 --- httpd-2.4.59/modules/ssl/ssl_engine_init.c.24 2024-05-22 08:13:42.478057351 +0100 +++ httpd-2.4.59/modules/ssl/ssl_engine_init.c 2024-05-22 08:13:42.489057431 +0100 @@ -1460,7 +1460,7 @@ if (modssl_is_engine_id(keyfile)) { apr_status_t rv; - if ((rv = modssl_load_engine_keypair(s, ptemp, vhost_id, + if ((rv = modssl_load_engine_keypair(s, p, ptemp, vhost_id, engine_certfile, keyfile, &cert, &pkey))) { return rv; --- httpd-2.4.59/modules/ssl/ssl_engine_pphrase.c.24 2024-05-22 08:13:42.443057094 +0100 +++ httpd-2.4.59/modules/ssl/ssl_engine_pphrase.c 2024-05-22 08:18:55.179844757 +0100 @@ -830,8 +830,19 @@ #endif #if MODSSL_HAVE_ENGINE_API -static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *p, - const char *vhostid, + +static apr_status_t modssl_engine_cleanup(void *engine) +{ + ENGINE *e = engine; + + ENGINE_finish(e); + + return APR_SUCCESS; +} + +static apr_status_t modssl_load_keypair_engine(server_rec *s, + apr_pool_t *pconf, apr_pool_t *ptemp, + const char *vhostid, const char *certid, const char *keyid, X509 **pubkey, @@ -839,12 +850,12 @@ { const char *c, *scheme; ENGINE *e; - UI_METHOD *ui_method = get_passphrase_ui(p); + UI_METHOD *ui_method = get_passphrase_ui(ptemp); pphrase_cb_arg_t ppcb; memset(&ppcb, 0, sizeof ppcb); ppcb.s = s; - ppcb.p = p; + ppcb.p = ptemp; ppcb.bPassPhraseDialogOnce = TRUE; ppcb.key_id = vhostid; ppcb.pkey_file = keyid; @@ -857,7 +868,7 @@ return ssl_die(s); } - scheme = apr_pstrmemdup(p, keyid, c - keyid); + scheme = apr_pstrmemdup(ptemp, keyid, c - keyid); if (!(e = ENGINE_by_id(scheme))) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132) "Init: Failed to load engine for private key %s", @@ -906,7 +917,8 @@ return ssl_die(s); } - ENGINE_finish(e); + apr_pool_cleanup_register(pconf, e, modssl_engine_cleanup, modssl_engine_cleanup); + ENGINE_free(e); return APR_SUCCESS; @@ -1007,7 +1019,8 @@ } #endif -apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, +apr_status_t modssl_load_engine_keypair(server_rec *s, + apr_pool_t *pconf, apr_pool_t *ptemp, const char *vhostid, const char *certid, const char *keyid, X509 **pubkey, EVP_PKEY **privkey) @@ -1016,11 +1029,11 @@ SSLModConfigRec *mc = myModConfig(s); if (!mc->szCryptoDevice) - return modssl_load_keypair_store(s, p, vhostid, certid, keyid, + return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid, pubkey, privkey); #endif #if MODSSL_HAVE_ENGINE_API - return modssl_load_keypair_engine(s, p, vhostid, certid, keyid, + return modssl_load_keypair_engine(s, pconf, ptemp, vhostid, certid, keyid, pubkey, privkey); #else return APR_ENOTIMPL; diff -uap httpd-2.4.59/modules/ssl/ssl_private.h.24 httpd-2.4.59/modules/ssl/ssl_private.h --- httpd-2.4.59/modules/ssl/ssl_private.h.24 2024-05-22 08:13:42.479057358 +0100 +++ httpd-2.4.59/modules/ssl/ssl_private.h 2024-05-22 08:13:42.489057431 +0100 @@ -1090,7 +1090,8 @@ /* Load public and/or private key from the configured ENGINE. Private * key returned as *pkey. certid can be NULL, in which case *pubkey * is not altered. Errors logged on failure. */ -apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, +apr_status_t modssl_load_engine_keypair(server_rec *s, + apr_pool_t *pconf, apr_pool_t *ptemp, const char *vhostid, const char *certid, const char *keyid, X509 **pubkey, EVP_PKEY **privkey);