From c18e0e7b078b857f7d65577e46d42e3df7bb150b Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 25 Nov 2024 13:37:20 +0000 Subject: [PATCH] mod_ssl: Fix regression in PKCS#11 handling which should work without ... SSLCryptoDevice configured Submitted By: jorton, ylavic Reviewed By: jorton, ylavic, rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1922083 13f79535-47bb-0310-9956-ffa450edef68 --- changes-entries/modssl-engine-fallback.txt | 2 ++ modules/ssl/ssl_engine_pphrase.c | 35 ++++++++++++++-------- 2 files changed, 24 insertions(+), 13 deletions(-) create mode 100644 changes-entries/modssl-engine-fallback.txt diff --git a/changes-entries/modssl-engine-fallback.txt b/changes-entries/modssl-engine-fallback.txt new file mode 100644 index 00000000000..6e56641d0e5 --- /dev/null +++ b/changes-entries/modssl-engine-fallback.txt @@ -0,0 +1,2 @@ + *) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE + without "SSLCryptoDevice" configured. [Joe Orton] diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index 8a08ede67af..5f18589a03e 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -839,6 +839,9 @@ static apr_status_t modssl_engine_cleanup(void *engine) return APR_SUCCESS; } +/* Tries to load the key and optionally certificate via the ENGINE + * API. Returns APR_ENOTIMPL if an ENGINE could not be identified + * loaded from the key name. */ static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf, apr_pool_t *ptemp, const char *vhostid, @@ -861,19 +864,19 @@ static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf, c = ap_strchr_c(keyid, ':'); if (!c || c == keyid) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10131) "Init: Unrecognized private key identifier `%s'", keyid); - return ssl_die(s); + return APR_ENOTIMPL; } scheme = apr_pstrmemdup(ptemp, keyid, c - keyid); if (!(e = ENGINE_by_id(scheme))) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132) + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10132) "Init: Failed to load engine for private key %s", keyid); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return ssl_die(s); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s); + return APR_ENOTIMPL; } if (!ENGINE_init(e)) { @@ -1029,15 +1032,21 @@ apr_status_t modssl_load_engine_keypair(server_rec *s, X509 **pubkey, EVP_PKEY **privkey) { #if MODSSL_HAVE_ENGINE_API - SSLModConfigRec *mc = myModConfig(s); + apr_status_t rv; + + rv = modssl_load_keypair_engine(s, pconf, ptemp, + vhostid, certid, keyid, + pubkey, privkey); + if (rv == APR_SUCCESS) { + return rv; + } + /* If STORE support is not present, all errors are fatal here; if + * STORE is present and the ENGINE could not be loaded, ignore the + * error and fall through to try loading via the STORE API. */ + else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) { + return ssl_die(s); + } - /* For OpenSSL 3.x, use the STORE-based API if either ENGINE - * support was not present compile-time, or if it's built but - * SSLCryptoDevice is not configured. */ - if (mc->szCryptoDevice) - return modssl_load_keypair_engine(s, pconf, ptemp, - vhostid, certid, keyid, - pubkey, privkey); #endif #if MODSSL_HAVE_OPENSSL_STORE return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,