You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
65 lines
2.5 KiB
65 lines
2.5 KiB
Index: modules/ssl/ssl_engine_pphrase.c
|
|
===================================================================
|
|
--- modules/ssl/ssl_engine_pphrase.c (revision 1920590)
|
|
+++ modules/ssl/ssl_engine_pphrase.c (working copy)
|
|
@@ -806,6 +806,9 @@
|
|
return APR_SUCCESS;
|
|
}
|
|
|
|
+/* Tries to load the key and optionally certificate via the ENGINE
|
|
+ * API. Returns APR_ENOTIMPL if the keypair could not be loaded via an
|
|
+ * ENGINE implementation. */
|
|
static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
|
|
apr_pool_t *ptemp,
|
|
const char *vhostid,
|
|
@@ -831,7 +834,7 @@
|
|
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
|
|
"Init: Unrecognized private key identifier `%s'",
|
|
keyid);
|
|
- return ssl_die(s);
|
|
+ return APR_ENOTIMPL;
|
|
}
|
|
|
|
scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
|
|
@@ -839,8 +842,8 @@
|
|
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
|
|
"Init: Failed to load engine for private key %s",
|
|
keyid);
|
|
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
|
- return ssl_die(s);
|
|
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s);
|
|
+ return APR_ENOTIMPL;
|
|
}
|
|
|
|
if (!ENGINE_init(e)) {
|
|
@@ -996,15 +999,21 @@
|
|
X509 **pubkey, EVP_PKEY **privkey)
|
|
{
|
|
#if MODSSL_HAVE_ENGINE_API
|
|
- SSLModConfigRec *mc = myModConfig(s);
|
|
+ apr_status_t rv;
|
|
|
|
- /* For OpenSSL 3.x, use the STORE-based API if either ENGINE
|
|
- * support was not present compile-time, or if it's built but
|
|
- * SSLCryptoDevice is not configured. */
|
|
- if (mc->szCryptoDevice)
|
|
- return modssl_load_keypair_engine(s, pconf, ptemp,
|
|
- vhostid, certid, keyid,
|
|
- pubkey, privkey);
|
|
+ rv = modssl_load_keypair_engine(s, pconf, ptemp,
|
|
+ vhostid, certid, keyid,
|
|
+ pubkey, privkey);
|
|
+ if (rv == APR_SUCCESS) {
|
|
+ return rv;
|
|
+ }
|
|
+ /* If STORE support is not present, all errors are fatal here; if
|
|
+ * STORE is present and the ENGINE could not be loaded, ignore the
|
|
+ * error and fall through to try loading via the STORE API. */
|
|
+ else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) {
|
|
+ return ssl_die(s);
|
|
+ }
|
|
+
|
|
#endif
|
|
#if MODSSL_HAVE_OPENSSL_STORE
|
|
return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,
|