mod_ssl: Fix regression in PKCS#11 handling which should work without

... SSLCryptoDevice configured Submitted By: jorton, ylavic Reviewed By: jorton, ylavic, rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1922083 13f79535-47bb-0310-9956-ffa450edef68
apache · Nov 25, 2024 · c18e0e7 · c18e0e7
1 parent dd54417
commit c18e0e7
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 13 deletions.
diff --git a/changes-entries/modssl-engine-fallback.txt b/changes-entries/modssl-engine-fallback.txt
@@ -0,0 +1,2 @@
+  *) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
+     without "SSLCryptoDevice" configured.  [Joe Orton]
diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c
@@ -839,6 +839,9 @@ static apr_status_t modssl_engine_cleanup(void *engine)
     return APR_SUCCESS;
 }
 
+/* Tries to load the key and optionally certificate via the ENGINE
+ * API. Returns APR_ENOTIMPL if an ENGINE could not be identified
+ * loaded from the key name. */
 static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
                                                apr_pool_t *ptemp,
                                                const char *vhostid,
@@ -861,19 +864,19 @@ static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
 
     c = ap_strchr_c(keyid, ':');
     if (!c || c == keyid) {
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10131)
                      "Init: Unrecognized private key identifier `%s'",
                      keyid);
-        return ssl_die(s);
+        return APR_ENOTIMPL;
     }
 
     scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
     if (!(e = ENGINE_by_id(scheme))) {
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(10132)
                      "Init: Failed to load engine for private key %s",
                      keyid);
-        ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        return ssl_die(s);
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s);
+        return APR_ENOTIMPL;
     }
 
     if (!ENGINE_init(e)) {
@@ -1029,15 +1032,21 @@ apr_status_t modssl_load_engine_keypair(server_rec *s,
                                         X509 **pubkey, EVP_PKEY **privkey)
 {
 #if MODSSL_HAVE_ENGINE_API 
-    SSLModConfigRec *mc = myModConfig(s);
+    apr_status_t rv;
+
+    rv = modssl_load_keypair_engine(s, pconf, ptemp,
+                                    vhostid, certid, keyid,
+                                    pubkey, privkey);
+    if (rv == APR_SUCCESS) {
+        return rv;
+    }
+    /* If STORE support is not present, all errors are fatal here; if
+     * STORE is present and the ENGINE could not be loaded, ignore the
+     * error and fall through to try loading via the STORE API. */
+    else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) {
+        return ssl_die(s);
+    }
 
-    /* For OpenSSL 3.x, use the STORE-based API if either ENGINE
-     * support was not present compile-time, or if it's built but
-     * SSLCryptoDevice is not configured. */
-    if (mc->szCryptoDevice)
-        return modssl_load_keypair_engine(s, pconf, ptemp,
-                                          vhostid, certid, keyid,
-                                          pubkey, privkey);
 #endif
 #if MODSSL_HAVE_OPENSSL_STORE
     return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,