Re: svn commit: r1920597 - in /httpd/httpd/trunk: changes-entries/modssl-engine-fallback.txt modules/ssl/ssl_engine_pphrase.c

Tue, 01 Oct 2024 23:57:57 -0700 


On 9/12/24 6:04 PM, jor...@apache.org wrote:
> Author: jorton
> Date: Thu Sep 12 16:04:39 2024
> New Revision: 1920597
> 
> URL: http://svn.apache.org/viewvc?rev=1920597&view=rev
> Log:
> mod_ssl: Fix regression in r1914365 preventing pkcs11: key/cert lookup
> via the ENGINE API without SSLCryptoDevice configured.
> 
> * modules/ssl/ssl_engine_pphrase.c
>   (modssl_load_keypair_engine): Return APR_ENOTIMPL if the ENGINE
>   could not be loaded for the key.
>   (modssl_load_engine_keypair): Always try loading via ENGINE
>   (as prior to r1914365) but fall back to the STORE API for
>   the new APR_ENOTIMPL case.
> 
> Github: closes #480
> 
> Added:
>     httpd/httpd/trunk/changes-entries/modssl-engine-fallback.txt
> Modified:
>     httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
> 

> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c?rev=1920597&r1=1920596&r2=1920597&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c Thu Sep 12 16:04:39 
> 2024

> @@ -996,15 +999,21 @@ apr_status_t modssl_load_engine_keypair(
>                                          X509 **pubkey, EVP_PKEY **privkey)
>  {
>  #if MODSSL_HAVE_ENGINE_API 
> -    SSLModConfigRec *mc = myModConfig(s);
> +    apr_status_t rv;
> +
> +    rv = modssl_load_keypair_engine(s, pconf, ptemp,
> +                                    vhostid, certid, keyid,
> +                                    pubkey, privkey);
> +    if (rv == APR_SUCCESS) {
> +        return rv;
> +    }
> +    /* If STORE support is not present, all errors are fatal here; if
> +     * STORE is present and the ENGINE could not be loaded, ignore the
> +     * error and fall through to try loading via the STORE API. */
> +    else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) {
> +        return ssl_die(s);
> +    }

Sorry for my late comments in chunks, but I stumbled across this when doing the 
backport review.
Why are all errors fatal in case we have no STORE support?
If we neither have MODSSL_HAVE_ENGINE_API nor MODSSL_HAVE_OPENSSL_STORE we just 
return
APR_ENOTIMPL

>  
> -    /* For OpenSSL 3.x, use the STORE-based API if either ENGINE
> -     * support was not present compile-time, or if it's built but
> -     * SSLCryptoDevice is not configured. */
> -    if (mc->szCryptoDevice)
> -        return modssl_load_keypair_engine(s, pconf, ptemp,
> -                                          vhostid, certid, keyid,
> -                                          pubkey, privkey);
>  #endif
>  #if MODSSL_HAVE_OPENSSL_STORE
>      return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,
> 
> 
> 

Regards

RĂ¼diger























					Reply via email to