* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair): Load

the engine associated with the private key (&cert) explicitly rather than requiring the engine to be set as the default method for all operations (with "SSLCryptoDevice <engine>"). (Thanks to Anderson Sasaki <ansasaki redhat.com> for suggested improvement and guidance) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1835615 13f79535-47bb-0310-9956-ffa450edef68
author: Joe Orton <jorton@apache.org> 2018-07-11 09:46:08 +0200
committer: Joe Orton <jorton@apache.org> 2018-07-11 09:46:08 +0200
commit: efd2868a62e976df303dbb9c3847b95f4d56f5a6 (patch)
tree: 1b8cb26fdcb84b95679492cd7c043a6f5506513d /modules
parent: Update docs and bump logno for PKCS#11 support change in r1835615. (diff)
download: apache2-efd2868a62e976df303dbb9c3847b95f4d56f5a6.tar.xz
apache2-efd2868a62e976df303dbb9c3847b95f4d56f5a6.zip
1 files changed, 21 insertions, 6 deletions
diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c
index a39b6f4707..c32debd45a 100644
--- a/modules/ssl/ssl_engine_pphrase.c
+++ b/modules/ssl/ssl_engine_pphrase.c
@@ -810,7 +810,7 @@ apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
                                         const char *certid, const char *keyid,
                                         X509 **pubkey, EVP_PKEY **privkey)
 {
-    SSLModConfigRec *mc = myModConfig(s);
+    const char *c, *scheme;
     ENGINE *e;
     UI_METHOD *ui_method = get_passphrase_ui(p);
     pphrase_cb_arg_t ppcb;
@@ -822,21 +822,35 @@ apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
     ppcb.key_id = vhostid;
     ppcb.pkey_file = keyid;
 
-    if (!mc->szCryptoDevice) {
+    c = ap_strchr_c(keyid, ':');
+    if (!c || c == keyid) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
-                     "Init: Cannot load private key `%s' without engine",
+                     "Init: Unrecognized private key identifier `%s'",
                      keyid);
         return ssl_die(s);
     }
 
-    if (!(e = ENGINE_by_id(mc->szCryptoDevice))) {
+    scheme = apr_pstrmemdup(p, keyid, c - keyid);
+    if (!(e = ENGINE_by_id(scheme))) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
-                     "Init: Failed to load Crypto Device API `%s'",
-                     mc->szCryptoDevice);
+                     "Init: Failed to load engine for private key %s",
+                     keyid);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
         return ssl_die(s);
     }
 
+    if (!ENGINE_init(e)) {
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10149)
+                     "Init: Failed to initialize engine %s for private key %s",
+                     scheme, keyid);
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+        return ssl_die(s);
+    }
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, 
+                 "Init: Initialized engine %s for private key %s",
+                 scheme, keyid);
+
     if (APLOGdebug(s)) {
         ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0);
     }
@@ -865,6 +879,7 @@ apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
         return ssl_die(s);
     }
 
+    ENGINE_finish(e);
     ENGINE_free(e);
 
     return APR_SUCCESS;
author	Joe Orton <jorton@apache.org>	2018-07-11 09:46:08 +0200
committer	Joe Orton <jorton@apache.org>	2018-07-11 09:46:08 +0200
commit	efd2868a62e976df303dbb9c3847b95f4d56f5a6 (patch)
tree	1b8cb26fdcb84b95679492cd7c043a6f5506513d /modules
parent	Update docs and bump logno for PKCS#11 support change in r1835615. (diff)
download	apache2-efd2868a62e976df303dbb9c3847b95f4d56f5a6.tar.xz apache2-efd2868a62e976df303dbb9c3847b95f4d56f5a6.zip