mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set…

…. PR 68080 Also, always allow for "SSLCryptoDevice builtin" even if the ENGINE API is not available, OPENSSL_NO_ENGINE or more generally with the new API (providers) available since OpenSSL >= 3. * ssl_private.h: Set MODSSL_HAVE_ENGINE_API to 0 if OPENSSL_NO_ENGINE. * mod_ssl.c, ssl_engine_config.c: Don't depend on HAVE_OPENSSL_ENGINE_H and HAVE_ENGINE_INIT to provide [ssl_cmd_]SSLCryptoDevice. Submitted by: ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913815 13f79535-47bb-0310-9956-ffa450edef68
apache · Nov 15, 2023 · 922d6bb · 922d6bb
1 parent 5875b40
commit 922d6bb
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 9 deletions.
diff --git a/changes-entries/pr68080.txt b/changes-entries/pr68080.txt
@@ -0,0 +1,3 @@
+  *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
+     Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
+     notably with OpenSSL >= 3.  PR 68080.  [ Yann Ylavic ]
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
@@ -89,11 +89,9 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_SRV(SessionCache, TAKE1,
                 "SSL Session Cache storage "
                 "('none', 'nonenotnull', 'dbm:/path/to/file')")
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
     SSL_CMD_SRV(CryptoDevice, TAKE1,
                 "SSL external Crypto Device usage "
                 "('builtin', '...')")
-#endif
     SSL_CMD_SRV(RandomSeed, TAKE23,
                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
                 "('startup|connect builtin|file:/path|exec:/path [bytes]')")

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
@@ -669,7 +669,6 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd,
     return NULL;
 }
 
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
                                     void *dcfg,
                                     const char *arg)
@@ -714,7 +713,6 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
 
     return NULL;
 }
-#endif
 
 const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd,
                                   void *dcfg,

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
@@ -107,18 +107,17 @@
 /* Avoid tripping over an engine build installed globally and detected
  * when the user points at an explicit non-engine flavor of OpenSSL
  */
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
-#if OPENSSL_VERSION_NUMBER < 0x30000000 \
-    || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) \
+    && (OPENSSL_VERSION_NUMBER < 0x30000000 \
+        || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \
+    && !defined(OPENSSL_NO_ENGINE)
 #include <openssl/engine.h>
 #define MODSSL_HAVE_ENGINE_API 1
 #endif
 #ifndef MODSSL_HAVE_ENGINE_API
 #define MODSSL_HAVE_ENGINE_API 0
 #endif
 
-#endif
-
 #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
 #error mod_ssl requires OpenSSL 0.9.8a or later
 #endif