97 lines
2.8 KiB
Diff
97 lines
2.8 KiB
Diff
|
From 6efcf3c52db1857aaa18741a509741519b0c5775 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Doug Engert <deengert@gmail.com>
|
||
|
|
Date: Fri, 29 Jul 2022 17:54:42 -0500
|
||
|
|
Subject: [PATCH] Deffer initializing crypto routines in PKCS11 engine until
|
||
|
|
needed
|
||
|
|
|
||
|
|
Fixes:#456
|
||
|
|
|
||
|
|
bind_helper in eng_font.c is split into bind_helper and bind_helper2
|
||
|
|
The calls to ENGINE_set_RSA, ENGINE_set_EC, ENGINE_set_ECDH and
|
||
|
|
ENGINE_set_pkey_meths are moved to bind_helper2.
|
||
|
|
|
||
|
|
bind_helper2 is called from load_pubkey and load_privkey.
|
||
|
|
|
||
|
|
This in effect gets around the problem OpenSSL 3.0.x has when
|
||
|
|
it loads the pkcs11 engine from openssl.cnf, and then tries to use it
|
||
|
|
as a default provider even when no engine was specified on
|
||
|
|
the command line.
|
||
|
|
|
||
|
|
On branch deffer_init_crypto
|
||
|
|
Changes to be committed:
|
||
|
|
modified: eng_front.c
|
||
|
|
---
|
||
|
|
src/eng_front.c | 28 ++++++++++++++++++++++++----
|
||
|
|
1 file changed, 24 insertions(+), 4 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/eng_front.c b/src/eng_front.c
|
||
|
|
index 3a3c891..bfc3502 100644
|
||
|
|
--- a/src/eng_front.c
|
||
|
|
+++ b/src/eng_front.c
|
||
|
|
@@ -82,6 +82,8 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = {
|
||
|
|
{0, NULL, NULL, 0}
|
||
|
|
};
|
||
|
|
|
||
|
|
+static int bind_helper2(ENGINE *e);
|
||
|
|
+
|
||
|
|
static ENGINE_CTX *get_ctx(ENGINE *engine)
|
||
|
|
{
|
||
|
|
ENGINE_CTX *ctx;
|
||
|
|
@@ -174,6 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id,
|
||
|
|
ctx = get_ctx(engine);
|
||
|
|
if (!ctx)
|
||
|
|
return 0;
|
||
|
|
+ bind_helper2(engine);
|
||
|
|
return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data);
|
||
|
|
}
|
||
|
|
|
||
|
|
@@ -186,6 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
|
||
|
|
ctx = get_ctx(engine);
|
||
|
|
if (!ctx)
|
||
|
|
return 0;
|
||
|
|
+ bind_helper2(engine);
|
||
|
|
pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data);
|
||
|
|
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
|
||
|
|
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
|
||
|
|
@@ -219,6 +223,25 @@ static int bind_helper(ENGINE *e)
|
||
|
|
!ENGINE_set_ctrl_function(e, engine_ctrl) ||
|
||
|
|
!ENGINE_set_cmd_defns(e, engine_cmd_defns) ||
|
||
|
|
!ENGINE_set_name(e, PKCS11_ENGINE_NAME) ||
|
||
|
|
+
|
||
|
|
+ !ENGINE_set_load_pubkey_function(e, load_pubkey) ||
|
||
|
|
+ !ENGINE_set_load_privkey_function(e, load_privkey)) {
|
||
|
|
+ return 0;
|
||
|
|
+ } else {
|
||
|
|
+ ERR_load_ENG_strings();
|
||
|
|
+ return 1;
|
||
|
|
+ }
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
+/*
|
||
|
|
+ * With OpenSSL 3.x, engines might be used because defined in openssl.cnf
|
||
|
|
+ * which will cause problems
|
||
|
|
+ * only add engine routines after a call to load keys
|
||
|
|
+ */
|
||
|
|
+
|
||
|
|
+static int bind_helper2(ENGINE *e)
|
||
|
|
+{
|
||
|
|
+ if (
|
||
|
|
#ifndef OPENSSL_NO_RSA
|
||
|
|
!ENGINE_set_RSA(e, PKCS11_get_rsa_method()) ||
|
||
|
|
#endif
|
||
|
|
@@ -235,12 +258,9 @@ static int bind_helper(ENGINE *e)
|
||
|
|
!ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) ||
|
||
|
|
#endif
|
||
|
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||
|
|
- !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths) ||
|
||
|
|
- !ENGINE_set_load_pubkey_function(e, load_pubkey) ||
|
||
|
|
- !ENGINE_set_load_privkey_function(e, load_privkey)) {
|
||
|
|
+ !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths)) {
|
||
|
|
return 0;
|
||
|
|
} else {
|
||
|
|
- ERR_load_ENG_strings();
|
||
|
|
return 1;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|