From efd2868a62e976df303dbb9c3847b95f4d56f5a6 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 11 Jul 2018 07:46:08 +0000 Subject: * modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair): Load the engine associated with the private key (&cert) explicitly rather than requiring the engine to be set as the default method for all operations (with "SSLCryptoDevice "). (Thanks to Anderson Sasaki for suggested improvement and guidance) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1835615 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_pphrase.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) (limited to 'modules') diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index a39b6f4707..c32debd45a 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -810,7 +810,7 @@ apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, const char *certid, const char *keyid, X509 **pubkey, EVP_PKEY **privkey) { - SSLModConfigRec *mc = myModConfig(s); + const char *c, *scheme; ENGINE *e; UI_METHOD *ui_method = get_passphrase_ui(p); pphrase_cb_arg_t ppcb; @@ -822,21 +822,35 @@ apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, ppcb.key_id = vhostid; ppcb.pkey_file = keyid; - if (!mc->szCryptoDevice) { + c = ap_strchr_c(keyid, ':'); + if (!c || c == keyid) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) - "Init: Cannot load private key `%s' without engine", + "Init: Unrecognized private key identifier `%s'", keyid); return ssl_die(s); } - if (!(e = ENGINE_by_id(mc->szCryptoDevice))) { + scheme = apr_pstrmemdup(p, keyid, c - keyid); + if (!(e = ENGINE_by_id(scheme))) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132) - "Init: Failed to load Crypto Device API `%s'", - mc->szCryptoDevice); + "Init: Failed to load engine for private key %s", + keyid); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); return ssl_die(s); } + if (!ENGINE_init(e)) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10149) + "Init: Failed to initialize engine %s for private key %s", + scheme, keyid); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + return ssl_die(s); + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Init: Initialized engine %s for private key %s", + scheme, keyid); + if (APLOGdebug(s)) { ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0); } @@ -865,6 +879,7 @@ apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, return ssl_die(s); } + ENGINE_finish(e); ENGINE_free(e); return APR_SUCCESS; -- cgit v1.2.3