Blame SOURCES/httpd-2.4.35-r1830819+.patch

e71654
# ./pullrev.sh 1830819 1830836 1830912 1830913 1830927 1831168 1831173
e71654
e71654
http://svn.apache.org/viewvc?view=revision&revision=1830819
e71654
http://svn.apache.org/viewvc?view=revision&revision=1830912
e71654
http://svn.apache.org/viewvc?view=revision&revision=1830913
e71654
http://svn.apache.org/viewvc?view=revision&revision=1830927
e71654
http://svn.apache.org/viewvc?view=revision&revision=1831168
e71654
http://svn.apache.org/viewvc?view=revision&revision=1831173
e71654
http://svn.apache.org/viewvc?view=revision&revision=1835240
e71654
http://svn.apache.org/viewvc?view=revision&revision=1835242
e71654
http://svn.apache.org/viewvc?view=revision&revision=1835615
e71654
e71654
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
e71654
index 43397f9..ff8f429 100644
e71654
--- httpd-2.4.35/modules/ssl/ssl_engine_config.c.r1830819+
e71654
+++ httpd-2.4.35/modules/ssl/ssl_engine_config.c
e71654
@@ -899,7 +899,9 @@
e71654
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
e71654
     const char *err;
e71654
 
e71654
-    if ((err = ssl_cmd_check_file(cmd, &arg))) {
e71654
+    /* Only check for non-ENGINE based certs. */
e71654
+    if (!modssl_is_engine_id(arg)
e71654
+        && (err = ssl_cmd_check_file(cmd, &arg))) {
e71654
         return err;
e71654
     }
e71654
 
e71654
@@ -915,7 +917,9 @@
e71654
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
e71654
     const char *err;
e71654
 
e71654
-    if ((err = ssl_cmd_check_file(cmd, &arg))) {
e71654
+    /* Check keyfile exists for non-ENGINE keys. */
e71654
+    if (!modssl_is_engine_id(arg)
e71654
+        && (err = ssl_cmd_check_file(cmd, &arg))) {
e71654
         return err;
e71654
     }
e71654
 
e71654
--- httpd-2.4.35/modules/ssl/ssl_engine_init.c.r1830819+
e71654
+++ httpd-2.4.35/modules/ssl/ssl_engine_init.c
e71654
@@ -1186,12 +1186,18 @@
e71654
                 (certfile = APR_ARRAY_IDX(mctx->pks->cert_files, i,
e71654
                                           const char *));
e71654
          i++) {
e71654
+        EVP_PKEY *pkey;
e71654
+        const char *engine_certfile = NULL;
e71654
+
e71654
         key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i);
e71654
 
e71654
         ERR_clear_error();
e71654
 
e71654
         /* first the certificate (public key) */
e71654
-        if (mctx->cert_chain) {
e71654
+        if (modssl_is_engine_id(certfile)) {
e71654
+            engine_certfile = certfile;
e71654
+        }
e71654
+        else if (mctx->cert_chain) {
e71654
             if ((SSL_CTX_use_certificate_file(mctx->ssl_ctx, certfile,
e71654
                                               SSL_FILETYPE_PEM) < 1)) {
e71654
                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02561)
e71654
@@ -1220,12 +1226,46 @@
e71654
 
e71654
         ERR_clear_error();
e71654
 
e71654
-        if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
e71654
-                                         SSL_FILETYPE_PEM) < 1) &&
e71654
-            (ERR_GET_FUNC(ERR_peek_last_error())
e71654
-                != X509_F_X509_CHECK_PRIVATE_KEY)) {
e71654
+        if (modssl_is_engine_id(keyfile)) {
e71654
+            apr_status_t rv;
e71654
+
e71654
+            cert = NULL;
e71654
+            
e71654
+            if ((rv = modssl_load_engine_keypair(s, ptemp, vhost_id,
e71654
+                                                 engine_certfile, keyfile,
e71654
+                                                 &cert, &pkey))) {
e71654
+                return rv;
e71654
+            }
e71654
+
e71654
+            if (cert) {
e71654
+                if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) {
e71654
+                    ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137)
e71654
+                                 "Failed to configure engine certificate %s, check %s",
e71654
+                                 key_id, certfile);
e71654
+                    ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
e71654
+                    return APR_EGENERAL;
e71654
+                }
e71654
+
e71654
+                /* SSL_CTX now owns the cert. */
e71654
+                X509_free(cert);
e71654
+            }                    
e71654
+            
e71654
+            if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) {
e71654
+                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130)
e71654
+                             "Failed to configure private key %s from engine",
e71654
+                             keyfile);
e71654
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
e71654
+                return APR_EGENERAL;
e71654
+            }
e71654
+
e71654
+            /* SSL_CTX now owns the key */
e71654
+            EVP_PKEY_free(pkey);
e71654
+        }
e71654
+        else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
e71654
+                                              SSL_FILETYPE_PEM) < 1)
e71654
+                 && (ERR_GET_FUNC(ERR_peek_last_error())
e71654
+                     != X509_F_X509_CHECK_PRIVATE_KEY)) {
e71654
             ssl_asn1_t *asn1;
e71654
-            EVP_PKEY *pkey;
e71654
             const unsigned char *ptr;
e71654
 
e71654
             ERR_clear_error();
e71654
@@ -1312,8 +1352,9 @@
e71654
     /*
e71654
      * Try to read DH parameters from the (first) SSLCertificateFile
e71654
      */
e71654
-    if ((certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *)) &&
e71654
-        (dhparams = ssl_dh_GetParamFromFile(certfile))) {
e71654
+    certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
e71654
+    if (certfile && !modssl_is_engine_id(certfile)
e71654
+        && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
e71654
         SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
e71654
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
e71654
                      "Custom DH parameters (%d bits) for %s loaded from %s",
e71654
@@ -1325,10 +1366,10 @@
e71654
     /*
e71654
      * Similarly, try to read the ECDH curve name from SSLCertificateFile...
e71654
      */
e71654
-    if ((certfile != NULL) && 
e71654
-        (ecparams = ssl_ec_GetParamFromFile(certfile)) &&
e71654
-        (nid = EC_GROUP_get_curve_name(ecparams)) &&
e71654
-        (eckey = EC_KEY_new_by_curve_name(nid))) {
e71654
+    if (certfile && !modssl_is_engine_id(certfile)
e71654
+        && (ecparams = ssl_ec_GetParamFromFile(certfile))
e71654
+        && (nid = EC_GROUP_get_curve_name(ecparams)) 
e71654
+        && (eckey = EC_KEY_new_by_curve_name(nid))) {
e71654
         SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
e71654
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541)
e71654
                      "ECDH curve %s for %s specified in %s",
e71654
--- httpd-2.4.35/modules/ssl/ssl_engine_pphrase.c.r1830819+
e71654
+++ httpd-2.4.35/modules/ssl/ssl_engine_pphrase.c
e71654
@@ -143,9 +143,6 @@
e71654
     const char *key_id = asn1_table_vhost_key(mc, p, sc->vhost_id, idx);
e71654
     EVP_PKEY *pPrivateKey = NULL;
e71654
     ssl_asn1_t *asn1;
e71654
-    unsigned char *ucp;
e71654
-    long int length;
e71654
-    BOOL bReadable;
e71654
     int nPassPhrase = (*pphrases)->nelts;
e71654
     int nPassPhraseRetry = 0;
e71654
     apr_time_t pkey_mtime = 0;
e71654
@@ -222,16 +219,12 @@
e71654
          * is not empty. */
e71654
         ERR_clear_error();
e71654
 
e71654
-        bReadable = ((pPrivateKey = modssl_read_privatekey(ppcb_arg.pkey_file,
e71654
-                     NULL, ssl_pphrase_Handle_CB, &ppcb_arg)) != NULL ?
e71654
-                     TRUE : FALSE);
e71654
-
e71654
-        /*
e71654
-         * when the private key file now was readable,
e71654
-         * it's fine and we go out of the loop
e71654
-         */
e71654
-        if (bReadable)
e71654
-           break;
e71654
+        pPrivateKey = modssl_read_privatekey(ppcb_arg.pkey_file,
e71654
+                                             ssl_pphrase_Handle_CB, &ppcb_arg);
e71654
+        /* If the private key was successfully read, nothing more to
e71654
+           do here. */
e71654
+        if (pPrivateKey != NULL)
e71654
+            break;
e71654
 
e71654
         /*
e71654
          * when we have more remembered pass phrases
e71654
@@ -356,19 +349,12 @@
e71654
         nPassPhrase++;
e71654
     }
e71654
 
e71654
-    /*
e71654
-     * Insert private key into the global module configuration
e71654
-     * (we convert it to a stand-alone DER byte sequence
e71654
-     * because the SSL library uses static variables inside a
e71654
-     * RSA structure which do not survive DSO reloads!)
e71654
-     */
e71654
-    length = i2d_PrivateKey(pPrivateKey, NULL);
e71654
-    ucp = ssl_asn1_table_set(mc->tPrivateKey, key_id, length);
e71654
-    (void)i2d_PrivateKey(pPrivateKey, &ucp;; /* 2nd arg increments */
e71654
+    /* Cache the private key in the global module configuration so it
e71654
+     * can be used after subsequent reloads. */
e71654
+    asn1 = ssl_asn1_table_set(mc->tPrivateKey, key_id, pPrivateKey);
e71654
 
e71654
     if (ppcb_arg.nPassPhraseDialogCur != 0) {
e71654
         /* remember mtime of encrypted keys */
e71654
-        asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id);
e71654
         asn1->source_mtime = pkey_mtime;
e71654
     }
e71654
 
e71654
@@ -619,3 +605,303 @@
e71654
      */
e71654
     return (len);
e71654
 }
e71654
+
e71654
+
e71654
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
e71654
+
e71654
+/* OpenSSL UI implementation for passphrase entry; largely duplicated
e71654
+ * from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be
e71654
+ * worth trying to shift pphrase handling over to the UI API
e71654
+ * completely. */
e71654
+static int passphrase_ui_open(UI *ui)
e71654
+{
e71654
+    pphrase_cb_arg_t *ppcb = UI_get0_user_data(ui);
e71654
+    SSLSrvConfigRec *sc = mySrvConfig(ppcb->s);
e71654
+
e71654
+    ppcb->nPassPhraseDialog++;
e71654
+    ppcb->nPassPhraseDialogCur++;
e71654
+
e71654
+    /*
e71654
+     * Builtin or Pipe dialog
e71654
+     */
e71654
+    if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
e71654
+        || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
e71654
+        if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
e71654
+            if (!readtty) {
e71654
+                ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s,
e71654
+                             APLOGNO(10143)
e71654
+                             "Init: Creating pass phrase dialog pipe child "
e71654
+                             "'%s'", sc->server->pphrase_dialog_path);
e71654
+                if (ssl_pipe_child_create(ppcb->p,
e71654
+                            sc->server->pphrase_dialog_path)
e71654
+                        != APR_SUCCESS) {
e71654
+                    ap_log_error(APLOG_MARK, APLOG_ERR, 0, ppcb->s,
e71654
+                                 APLOGNO(10144)
e71654
+                                 "Init: Failed to create pass phrase pipe '%s'",
e71654
+                                 sc->server->pphrase_dialog_path);
e71654
+                    return 0;
e71654
+                }
e71654
+            }
e71654
+            ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s, APLOGNO(10145)
e71654
+                         "Init: Requesting pass phrase via piped dialog");
e71654
+        }
e71654
+        else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
e71654
+#ifdef WIN32
e71654
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, ppcb->s, APLOGNO(10146)
e71654
+                         "Init: Failed to create pass phrase pipe '%s'",
e71654
+                         sc->server->pphrase_dialog_path);
e71654
+            return 0;
e71654
+#else
e71654
+            /*
e71654
+             * stderr has already been redirected to the error_log.
e71654
+             * rather than attempting to temporarily rehook it to the terminal,
e71654
+             * we print the prompt to stdout before EVP_read_pw_string turns
e71654
+             * off tty echo
e71654
+             */
e71654
+            apr_file_open_stdout(&writetty, ppcb->p);
e71654
+
e71654
+            ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s, APLOGNO(10147)
e71654
+                         "Init: Requesting pass phrase via builtin terminal "
e71654
+                         "dialog");
e71654
+#endif
e71654
+        }
e71654
+
e71654
+        /*
e71654
+         * The first time display a header to inform the user about what
e71654
+         * program he actually speaks to, which module is responsible for
e71654
+         * this terminal dialog and why to the hell he has to enter
e71654
+         * something...
e71654
+         */
e71654
+        if (ppcb->nPassPhraseDialog == 1) {
e71654
+            apr_file_printf(writetty, "%s mod_ssl (Pass Phrase Dialog)\n",
e71654
+                            AP_SERVER_BASEVERSION);
e71654
+            apr_file_printf(writetty,
e71654
+                            "A pass phrase is required to access the private key.\n");
e71654
+        }
e71654
+        if (ppcb->bPassPhraseDialogOnce) {
e71654
+            ppcb->bPassPhraseDialogOnce = FALSE;
e71654
+            apr_file_printf(writetty, "\n");
e71654
+            apr_file_printf(writetty, "Private key %s (%s)\n",
e71654
+                            ppcb->key_id, ppcb->pkey_file);
e71654
+        }
e71654
+    }
e71654
+
e71654
+    return 1;
e71654
+}
e71654
+
e71654
+static int passphrase_ui_read(UI *ui, UI_STRING *uis)
e71654
+{
e71654
+    pphrase_cb_arg_t *ppcb = UI_get0_user_data(ui);
e71654
+    SSLSrvConfigRec *sc = mySrvConfig(ppcb->s);
e71654
+    const char *prompt;
e71654
+    int i;
e71654
+    int bufsize;
e71654
+    int len;
e71654
+    char *buf;
e71654
+
e71654
+    prompt = UI_get0_output_string(uis);
e71654
+    if (prompt == NULL) {
e71654
+        prompt = "Enter pass phrase:";
e71654
+    }
e71654
+
e71654
+    /*
e71654
+     * Get the maximum expected size and allocate the buffer
e71654
+     */
e71654
+    bufsize = UI_get_result_maxsize(uis);
e71654
+    buf = apr_pcalloc(ppcb->p, bufsize);
e71654
+
e71654
+    if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
e71654
+        || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
e71654
+        /*
e71654
+         * Get the pass phrase through a callback.
e71654
+         * Empty input is not accepted.
e71654
+         */
e71654
+        for (;;) {
e71654
+            if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
e71654
+                i = pipe_get_passwd_cb(buf, bufsize, "", FALSE);
e71654
+            }
e71654
+            else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
e71654
+                i = EVP_read_pw_string(buf, bufsize, "", FALSE);
e71654
+            }
e71654
+            if (i != 0) {
e71654
+                OPENSSL_cleanse(buf, bufsize);
e71654
+                return 0;
e71654
+            }
e71654
+            len = strlen(buf);
e71654
+            if (len < 1){
e71654
+                apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase"
e71654
+                                "empty (needs to be at least 1 character).\n");
e71654
+                apr_file_puts(prompt, writetty);
e71654
+            }
e71654
+            else {
e71654
+                break;
e71654
+            }
e71654
+        }
e71654
+    }
e71654
+    /*
e71654
+     * Filter program
e71654
+     */
e71654
+    else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
e71654
+        const char *cmd = sc->server->pphrase_dialog_path;
e71654
+        const char **argv = apr_palloc(ppcb->p, sizeof(char *) * 3);
e71654
+        char *result;
e71654
+
e71654
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s, APLOGNO(10148)
e71654
+                     "Init: Requesting pass phrase from dialog filter "
e71654
+                     "program (%s)", cmd);
e71654
+
e71654
+        argv[0] = cmd;
e71654
+        argv[1] = ppcb->key_id;
e71654
+        argv[2] = NULL;
e71654
+
e71654
+        result = ssl_util_readfilter(ppcb->s, ppcb->p, cmd, argv);
e71654
+        apr_cpystrn(buf, result, bufsize);
e71654
+        len = strlen(buf);
e71654
+    }
e71654
+
e71654
+    /*
e71654
+     * Ok, we now have the pass phrase, so give it back
e71654
+     */
e71654
+    ppcb->cpPassPhraseCur = apr_pstrdup(ppcb->p, buf);
e71654
+    UI_set_result(ui, uis, buf);
e71654
+
e71654
+    /* Clear sensitive data. */
e71654
+    OPENSSL_cleanse(buf, bufsize);
e71654
+    return 1;
e71654
+}
e71654
+
e71654
+static int passphrase_ui_write(UI *ui, UI_STRING *uis)
e71654
+{
e71654
+    pphrase_cb_arg_t *ppcb = UI_get0_user_data(ui);
e71654
+    SSLSrvConfigRec *sc;
e71654
+    const char *prompt;
e71654
+
e71654
+    sc = mySrvConfig(ppcb->s);
e71654
+
e71654
+    if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
e71654
+        || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
e71654
+        prompt = UI_get0_output_string(uis);
e71654
+        apr_file_puts(prompt, writetty);
e71654
+    }
e71654
+
e71654
+    return 1;
e71654
+}
e71654
+
e71654
+static int passphrase_ui_close(UI *ui)
e71654
+{
e71654
+    /*
e71654
+     * Close the pipes if they were opened
e71654
+     */
e71654
+    if (readtty) {
e71654
+        apr_file_close(readtty);
e71654
+        apr_file_close(writetty);
e71654
+        readtty = writetty = NULL;
e71654
+    }
e71654
+    return 1;
e71654
+}
e71654
+
e71654
+static apr_status_t pp_ui_method_cleanup(void *uip)
e71654
+{
e71654
+    UI_METHOD *uim = uip;
e71654
+    
e71654
+    UI_destroy_method(uim);
e71654
+
e71654
+    return APR_SUCCESS;
e71654
+}
e71654
+
e71654
+static UI_METHOD *get_passphrase_ui(apr_pool_t *p)
e71654
+{
e71654
+    UI_METHOD *ui_method = UI_create_method("Passphrase UI");
e71654
+
e71654
+    UI_method_set_opener(ui_method, passphrase_ui_open);
e71654
+    UI_method_set_reader(ui_method, passphrase_ui_read);
e71654
+    UI_method_set_writer(ui_method, passphrase_ui_write);
e71654
+    UI_method_set_closer(ui_method, passphrase_ui_close);
e71654
+
e71654
+    apr_pool_cleanup_register(p, ui_method, pp_ui_method_cleanup,
e71654
+                              pp_ui_method_cleanup);
e71654
+    
e71654
+    return ui_method;
e71654
+}
e71654
+
e71654
+
e71654
+apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
e71654
+                                        const char *vhostid,
e71654
+                                        const char *certid, const char *keyid,
e71654
+                                        X509 **pubkey, EVP_PKEY **privkey)
e71654
+{
e71654
+    const char *c, *scheme;
e71654
+    ENGINE *e;
e71654
+    UI_METHOD *ui_method = get_passphrase_ui(p);
e71654
+    pphrase_cb_arg_t ppcb;
e71654
+
e71654
+    memset(&ppcb, 0, sizeof ppcb);
e71654
+    ppcb.s = s;
e71654
+    ppcb.p = p;
e71654
+    ppcb.bPassPhraseDialogOnce = TRUE;
e71654
+    ppcb.key_id = vhostid;
e71654
+    ppcb.pkey_file = keyid;
e71654
+
e71654
+    c = ap_strchr_c(keyid, ':');
e71654
+    if (!c || c == keyid) {
e71654
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
e71654
+                     "Init: Unrecognized private key identifier `%s'",
e71654
+                     keyid);
e71654
+        return ssl_die(s);
e71654
+    }
e71654
+
e71654
+    scheme = apr_pstrmemdup(p, keyid, c - keyid);
e71654
+    if (!(e = ENGINE_by_id(scheme))) {
e71654
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
e71654
+                     "Init: Failed to load engine for private key %s",
e71654
+                     keyid);
e71654
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
e71654
+        return ssl_die(s);
e71654
+    }
e71654
+
e71654
+    if (!ENGINE_init(e)) {
e71654
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10149)
e71654
+                     "Init: Failed to initialize engine %s for private key %s",
e71654
+                     scheme, keyid);
e71654
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
e71654
+        return ssl_die(s);
e71654
+    }
e71654
+
e71654
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, 
e71654
+                 "Init: Initialized engine %s for private key %s",
e71654
+                 scheme, keyid);
e71654
+
e71654
+    if (APLOGdebug(s)) {
e71654
+        ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0);
e71654
+    }
e71654
+
e71654
+    if (certid) {
e71654
+        struct {
e71654
+            const char *cert_id;
e71654
+            X509 *cert;
e71654
+        } params = { certid, NULL };
e71654
+
e71654
+        if (!ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &params, NULL, 1)) {
e71654
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10136)
e71654
+                         "Init: Unable to get the certificate");
e71654
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
e71654
+            return ssl_die(s);
e71654
+        }
e71654
+
e71654
+        *pubkey = params.cert;
e71654
+    }
e71654
+
e71654
+    *privkey = ENGINE_load_private_key(e, keyid, ui_method, &ppcb);
e71654
+    if (*privkey == NULL) {
e71654
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10133)
e71654
+                     "Init: Unable to get the private key");
e71654
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
e71654
+        return ssl_die(s);
e71654
+    }
e71654
+
e71654
+    ENGINE_finish(e);
e71654
+    ENGINE_free(e);
e71654
+
e71654
+    return APR_SUCCESS;
e71654
+}
e71654
+#endif
e71654
--- httpd-2.4.35/modules/ssl/ssl_private.h.r1830819+
e71654
+++ httpd-2.4.35/modules/ssl/ssl_private.h
e71654
@@ -986,21 +986,28 @@
e71654
 apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int,
e71654
                                      const char *, apr_array_header_t **);
e71654
 
e71654
+/* Load public and/or private key from the configured ENGINE. Private
e71654
+ * key returned as *pkey.  certid can be NULL, in which case *pubkey
e71654
+ * is not altered.  Errors logged on failure. */
e71654
+apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
e71654
+                                        const char *vhostid,
e71654
+                                        const char *certid, const char *keyid,
e71654
+                                        X509 **pubkey, EVP_PKEY **privkey);
e71654
+
e71654
 /**  Diffie-Hellman Parameter Support  */
e71654
 DH           *ssl_dh_GetParamFromFile(const char *);
e71654
 #ifdef HAVE_ECC
e71654
 EC_GROUP     *ssl_ec_GetParamFromFile(const char *);
e71654
 #endif
e71654
 
e71654
-unsigned char *ssl_asn1_table_set(apr_hash_t *table,
e71654
-                                  const char *key,
e71654
-                                  long int length);
e71654
-
e71654
-ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table,
e71654
-                               const char *key);
e71654
-
e71654
-void ssl_asn1_table_unset(apr_hash_t *table,
e71654
-                          const char *key);
e71654
+/* Store the EVP_PKEY key (serialized into DER) in the hash table with
e71654
+ * key, returning the ssl_asn1_t structure pointer. */
e71654
+ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
e71654
+                               EVP_PKEY *pkey);
e71654
+/* Retrieve the ssl_asn1_t structure with given key from the hash. */
e71654
+ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, const char *key);
e71654
+/* Remove and free the ssl_asn1_t structure with given key. */
e71654
+void ssl_asn1_table_unset(apr_hash_t *table, const char *key);
e71654
 
e71654
 /**  Mutex Support  */
e71654
 int          ssl_mutex_init(server_rec *, apr_pool_t *);
e71654
@@ -1088,6 +1095,10 @@
e71654
 int ssl_is_challenge(conn_rec *c, const char *servername, 
e71654
                      X509 **pcert, EVP_PKEY **pkey);
e71654
 
e71654
+/* Returns non-zero if the cert/key filename should be handled through
e71654
+ * the configured ENGINE. */
e71654
+int modssl_is_engine_id(const char *name);
e71654
+
e71654
 #endif /* SSL_PRIVATE_H */
e71654
 /** @} */
e71654
 
e71654
--- httpd-2.4.35/modules/ssl/ssl_util.c.r1830819+
e71654
+++ httpd-2.4.35/modules/ssl/ssl_util.c
e71654
@@ -175,45 +175,37 @@
e71654
     return TRUE;
e71654
 }
e71654
 
e71654
-/*
e71654
- * certain key data needs to survive restarts,
e71654
- * which are stored in the user data table of s->process->pool.
e71654
- * to prevent "leaking" of this data, we use malloc/free
e71654
- * rather than apr_palloc and these wrappers to help make sure
e71654
- * we do not leak the malloc-ed data.
e71654
- */
e71654
-unsigned char *ssl_asn1_table_set(apr_hash_t *table,
e71654
-                                  const char *key,
e71654
-                                  long int length)
e71654
+/* Decrypted private keys are cached to survive restarts.  The cached
e71654
+ * data must have lifetime of the process (hence malloc/free rather
e71654
+ * than pools), and uses raw DER since the EVP_PKEY structure
e71654
+ * internals may not survive across a module reload. */
e71654
+ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
e71654
+                               EVP_PKEY *pkey)
e71654
 {
e71654
     apr_ssize_t klen = strlen(key);
e71654
     ssl_asn1_t *asn1 = apr_hash_get(table, key, klen);
e71654
+    apr_size_t length = i2d_PrivateKey(pkey, NULL);
e71654
+    unsigned char *p;
e71654
 
e71654
-    /*
e71654
-     * if a value for this key already exists,
e71654
-     * reuse as much of the already malloc-ed data
e71654
-     * as possible.
e71654
-     */
e71654
+    /* Re-use structure if cached previously. */
e71654
     if (asn1) {
e71654
         if (asn1->nData != length) {
e71654
-            free(asn1->cpData); /* XXX: realloc? */
e71654
-            asn1->cpData = NULL;
e71654
+            asn1->cpData = ap_realloc(asn1->cpData, length);
e71654
         }
e71654
     }
e71654
     else {
e71654
         asn1 = ap_malloc(sizeof(*asn1));
e71654
         asn1->source_mtime = 0; /* used as a note for encrypted private keys */
e71654
-        asn1->cpData = NULL;
e71654
-    }
e71654
-
e71654
-    asn1->nData = length;
e71654
-    if (!asn1->cpData) {
e71654
         asn1->cpData = ap_malloc(length);
e71654
+
e71654
+        apr_hash_set(table, key, klen, asn1);
e71654
     }
e71654
 
e71654
-    apr_hash_set(table, key, klen, asn1);
e71654
+    asn1->nData = length;
e71654
+    p = asn1->cpData;
e71654
+    i2d_PrivateKey(pkey, &p); /* increases p by length */
e71654
 
e71654
-    return asn1->cpData; /* caller will assign a value to this */
e71654
+    return asn1;
e71654
 }
e71654
 
e71654
 ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table,
e71654
@@ -463,3 +455,13 @@
e71654
 }
e71654
 
e71654
 #endif /* #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API */
e71654
+
e71654
+int modssl_is_engine_id(const char *name)
e71654
+{
e71654
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
e71654
+    /* ### Can handle any other special ENGINE key names here? */
e71654
+    return strncmp(name, "pkcs11:", 7) == 0;
e71654
+#else
e71654
+    return 0;
e71654
+#endif
e71654
+}
e71654
--- httpd-2.4.35/modules/ssl/ssl_util_ssl.c.r1830819+
e71654
+++ httpd-2.4.35/modules/ssl/ssl_util_ssl.c
e71654
@@ -74,7 +74,7 @@
e71654
 **  _________________________________________________________________
e71654
 */
e71654
 
e71654
-EVP_PKEY *modssl_read_privatekey(const char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
e71654
+EVP_PKEY *modssl_read_privatekey(const char *filename, pem_password_cb *cb, void *s)
e71654
 {
e71654
     EVP_PKEY *rc;
e71654
     BIO *bioS;
e71654
@@ -83,7 +83,7 @@
e71654
     /* 1. try PEM (= DER+Base64+headers) */
e71654
     if ((bioS=BIO_new_file(filename, "r")) == NULL)
e71654
         return NULL;
e71654
-    rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
e71654
+    rc = PEM_read_bio_PrivateKey(bioS, NULL, cb, s);
e71654
     BIO_free(bioS);
e71654
 
e71654
     if (rc == NULL) {
e71654
@@ -107,41 +107,9 @@
e71654
             BIO_free(bioS);
e71654
         }
e71654
     }
e71654
-    if (rc != NULL && key != NULL) {
e71654
-        if (*key != NULL)
e71654
-            EVP_PKEY_free(*key);
e71654
-        *key = rc;
e71654
-    }
e71654
     return rc;
e71654
 }
e71654
 
e71654
-typedef struct {
e71654
-    const char *pass;
e71654
-    int pass_len;
e71654
-} pass_ctx;
e71654
-
e71654
-static int provide_pass(char *buf, int size, int rwflag, void *baton)
e71654
-{
e71654
-    pass_ctx *ctx = baton;
e71654
-    if (ctx->pass_len > 0) {
e71654
-        if (ctx->pass_len < size) {
e71654
-            size = (int)ctx->pass_len;
e71654
-        }
e71654
-        memcpy(buf, ctx->pass, size);
e71654
-    }
e71654
-    return ctx->pass_len;
e71654
-}
e71654
-
e71654
-EVP_PKEY   *modssl_read_encrypted_pkey(const char *filename, EVP_PKEY **key, 
e71654
-                                       const char *pass, apr_size_t pass_len)
e71654
-{
e71654
-    pass_ctx ctx;
e71654
-    
e71654
-    ctx.pass = pass;
e71654
-    ctx.pass_len = pass_len;
e71654
-    return modssl_read_privatekey(filename, key, provide_pass, &ctx;;
e71654
-}
e71654
-
e71654
 /*  _________________________________________________________________
e71654
 **
e71654
 **  Smart shutdown
e71654
--- httpd-2.4.35/modules/ssl/ssl_util_ssl.h.r1830819+
e71654
+++ httpd-2.4.35/modules/ssl/ssl_util_ssl.h
e71654
@@ -64,8 +64,11 @@
e71654
 void        modssl_init_app_data2_idx(void);
e71654
 void       *modssl_get_app_data2(SSL *);
e71654
 void        modssl_set_app_data2(SSL *, void *);
e71654
-EVP_PKEY   *modssl_read_privatekey(const char *, EVP_PKEY **, pem_password_cb *, void *);
e71654
-EVP_PKEY   *modssl_read_encrypted_pkey(const char *, EVP_PKEY **, const char *, apr_size_t);
e71654
+
e71654
+/* Read private key from filename in either PEM or raw base64(DER)
e71654
+ * format, using password entry callback cb and userdata. */
e71654
+EVP_PKEY   *modssl_read_privatekey(const char *filename, pem_password_cb *cb, void *ud);
e71654
+
e71654
 int         modssl_smart_shutdown(SSL *ssl);
e71654
 BOOL        modssl_X509_getBC(X509 *, int *, int *);
e71654
 char       *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne,