From 922d6bbc423f1684c002031dabc98c7ffabc8e08 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Wed, 15 Nov 2023 22:09:05 +0000 Subject: [PATCH] mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. PR 68080 Also, always allow for "SSLCryptoDevice builtin" even if the ENGINE API is not available, OPENSSL_NO_ENGINE or more generally with the new API (providers) available since OpenSSL >= 3. * ssl_private.h: Set MODSSL_HAVE_ENGINE_API to 0 if OPENSSL_NO_ENGINE. * mod_ssl.c, ssl_engine_config.c: Don't depend on HAVE_OPENSSL_ENGINE_H and HAVE_ENGINE_INIT to provide [ssl_cmd_]SSLCryptoDevice. Submitted by: ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913815 13f79535-47bb-0310-9956-ffa450edef68 --- changes-entries/pr68080.txt | 3 +++ modules/ssl/mod_ssl.c | 2 -- modules/ssl/ssl_engine_config.c | 2 -- modules/ssl/ssl_private.h | 9 ++++----- 4 files changed, 7 insertions(+), 9 deletions(-) create mode 100644 changes-entries/pr68080.txt diff --git a/changes-entries/pr68080.txt b/changes-entries/pr68080.txt new file mode 100644 index 00000000000..4fdf39e5499 --- /dev/null +++ b/changes-entries/pr68080.txt @@ -0,0 +1,3 @@ + *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. + Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available, + notably with OpenSSL >= 3. PR 68080. [ Yann Ylavic ] diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 9e03c7252cc..420ae6b79ac 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -89,11 +89,9 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_SRV(SessionCache, TAKE1, "SSL Session Cache storage " "('none', 'nonenotnull', 'dbm:/path/to/file')") -#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) SSL_CMD_SRV(CryptoDevice, TAKE1, "SSL external Crypto Device usage " "('builtin', '...')") -#endif SSL_CMD_SRV(RandomSeed, TAKE23, "SSL Pseudo Random Number Generator (PRNG) seeding source " "('startup|connect builtin|file:/path|exec:/path [bytes]')") diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 1691ed75122..efd293169b1 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -669,7 +669,6 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd, return NULL; } -#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd, void *dcfg, const char *arg) @@ -714,7 +713,6 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd, return NULL; } -#endif const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd, void *dcfg, diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index b98c93b8db8..ea9ea5e56df 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -107,9 +107,10 @@ /* Avoid tripping over an engine build installed globally and detected * when the user points at an explicit non-engine flavor of OpenSSL */ -#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) -#if OPENSSL_VERSION_NUMBER < 0x30000000 \ - || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000) +#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) \ + && (OPENSSL_VERSION_NUMBER < 0x30000000 \ + || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \ + && !defined(OPENSSL_NO_ENGINE) #include #define MODSSL_HAVE_ENGINE_API 1 #endif @@ -117,8 +118,6 @@ #define MODSSL_HAVE_ENGINE_API 0 #endif -#endif - #if (OPENSSL_VERSION_NUMBER < 0x0090801f) #error mod_ssl requires OpenSSL 0.9.8a or later #endif