[PATCH v3] Fix ENGINE support with OpenSSL 1.1+

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Commit 373c7969485 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and
deprecated APIs") removed a call to ENGINE_load_dynamic() for newer
versions of OpenSSL, asserting that it should happen automatically.

That appears not to be the case, and loading engines now fails because
the dynamic engine isn't present.

Fix it by calling ENGINE_load_builtin_engines(), which works for all
versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings()
because that should have happened when SSL_load_error_strings() is
called anyway.

Signed-off-by: David Woodhouse <dwmw2@xxxxxxxxxxxxx>
---

On Sun, 2019-04-28 at 20:37 +0300, Jouni Malinen wrote:
> I'm not sure what the comment about the debug message is referring to,
> but regardless, I have not seen v3. Are you still planning on sending
> that or is this v2 sufficient to fix the issue?

Er, what? Who are you and why are you sending me email?

Oh, right. I found this in my local git tree. Maybe you want it? 

My tree also seem to have a hack to load a "tpm2" engine instead of
"opensc". How should we expose *that* to the user coherently? Hint:
Ideally only if the PEM file we are asked to load contains the header
line ---BEGIN TSS2 PRIVATE KEY----- and then without any help from the
user at all...

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 705fa29a3..c996ea562 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1033,11 +1033,8 @@ void * tls_init(const struct tls_config *conf)
 	}
 
 #ifndef OPENSSL_NO_ENGINE
-	wpa_printf(MSG_DEBUG, "ENGINE: Loading dynamic engine");
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-	ERR_load_ENGINE_strings();
-	ENGINE_load_dynamic();
-#endif /* OPENSSL_VERSION_NUMBER */
+	wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines");
+	ENGINE_load_builtin_engines();
 
 	if (conf &&
 	    (conf->opensc_engine_path || conf->pkcs11_engine_path ||

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux