summaryrefslogtreecommitdiffstats
path: root/crypto/engine
diff options
context:
space:
mode:
authorTomas Mraz <tomas@openssl.org>2022-03-16 12:14:16 +0100
committerTomas Mraz <tomas@openssl.org>2022-03-18 12:21:19 +0100
commitbd5c91c82cdc4b6ffe4a2970f9512fc5ec7d2d06 (patch)
tree9bfc73b7ed7913c2626c4c1a65fcdb4a3d8208c1 /crypto/engine
parentFix documentation for provider-signature (diff)
downloadopenssl-bd5c91c82cdc4b6ffe4a2970f9512fc5ec7d2d06.tar.xz
openssl-bd5c91c82cdc4b6ffe4a2970f9512fc5ec7d2d06.zip
eng_dyn: Avoid spurious errors when checking for 1.1.x engine
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17901)
Diffstat (limited to 'crypto/engine')
-rw-r--r--crypto/engine/eng_dyn.c33
1 files changed, 22 insertions, 11 deletions
diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index 68b9ac311d..21acde4046 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -401,6 +401,26 @@ static int int_load(dynamic_data_ctx *ctx)
return 0;
}
+/*
+ * Unfortunately the version checker does not distinguish between
+ * engines built for openssl 1.1.x and openssl 3.x, but loading
+ * an engine that is built for openssl 1.1.x will cause a fatal
+ * error. Detect such engines, since EVP_PKEY_base_id is exported
+ * as a function in openssl 1.1.x, while it is named EVP_PKEY_get_base_id
+ * in openssl 3.x. Therefore we take the presence of that symbol
+ * as an indication that the engine will be incompatible.
+ */
+static int using_libcrypto_11(dynamic_data_ctx *ctx)
+{
+ int ret;
+
+ ERR_set_mark();
+ ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_base_id") != NULL;
+ ERR_pop_to_mark();
+
+ return ret;
+}
+
static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
{
ENGINE cpy;
@@ -450,18 +470,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
/*
* We fail if the version checker veto'd the load *or* if it is
* deferring to us (by returning its version) and we think it is too
- * old.
- * Unfortunately the version checker does not distinguish between
- * engines built for openssl 1.1.x and openssl 3.x, but loading
- * an engine that is built for openssl 1.1.x will cause a fatal
- * error. Detect such engines, since EVP_PKEY_base_id is exported
- * as a function in openssl 1.1.x, while it is a macro in openssl 3.x,
- * and therefore only the symbol EVP_PKEY_get_base_id is available
- * in openssl 3.x.
+ * old. Also fail if this is engine for openssl 1.1.x.
*/
- if (vcheck_res < OSSL_DYNAMIC_OLDEST
- || DSO_bind_func(ctx->dynamic_dso,
- "EVP_PKEY_base_id") != NULL) {
+ if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_11(ctx)) {
/* Fail */
ctx->bind_engine = NULL;
ctx->v_check = NULL;