| Message ID | 2a4c7e4096a54e0134bfba6011dcc178cc2af586.camel@infradead.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v3] Fix ENGINE support with OpenSSL 1.1+ | expand |
On Sun, Apr 28, 2019 at 09:56:34PM +0300, David Woodhouse wrote: > Commit 373c7969485 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and > deprecated APIs") removed a call to ENGINE_load_dynamic() for newer > versions of OpenSSL, asserting that it should happen automatically. > > That appears not to be the case, and loading engines now fails because > the dynamic engine isn't present. > > Fix it by calling ENGINE_load_builtin_engines(), which works for all > versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings() > because that should have happened when SSL_load_error_strings() is > called anyway. Thanks, applied.
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 705fa29a3..c996ea562 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1033,11 +1033,8 @@ void * tls_init(const struct tls_config *conf) } #ifndef OPENSSL_NO_ENGINE - wpa_printf(MSG_DEBUG, "ENGINE: Loading dynamic engine"); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - ERR_load_ENGINE_strings(); - ENGINE_load_dynamic(); -#endif /* OPENSSL_VERSION_NUMBER */ + wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines"); + ENGINE_load_builtin_engines(); if (conf && (conf->opensc_engine_path || conf->pkcs11_engine_path ||
Commit 373c7969485 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and deprecated APIs") removed a call to ENGINE_load_dynamic() for newer versions of OpenSSL, asserting that it should happen automatically. That appears not to be the case, and loading engines now fails because the dynamic engine isn't present. Fix it by calling ENGINE_load_builtin_engines(), which works for all versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings() because that should have happened when SSL_load_error_strings() is called anyway. Signed-off-by: David Woodhouse <dwmw2@infradead.org> --- On Sun, 2019-04-28 at 20:37 +0300, Jouni Malinen wrote: > I'm not sure what the comment about the debug message is referring to, > but regardless, I have not seen v3. Are you still planning on sending > that or is this v2 sufficient to fix the issue? Er, what? Who are you and why are you sending me email? Oh, right. I found this in my local git tree. Maybe you want it? My tree also seem to have a hack to load a "tpm2" engine instead of "opensc". How should we expose *that* to the user coherently? Hint: Ideally only if the PEM file we are asked to load contains the header line ---BEGIN TSS2 PRIVATE KEY----- and then without any help from the user at all...