[openssl] master update
The branch master has been updated via 3a23f01268ec47bf3423b849cc226be220745522 (commit) from 09030ee73693411c19b596cb0e0f43eb512ac0e6 (commit) - Log - commit 3a23f01268ec47bf3423b849cc226be220745522 Author: Tom Cosgrove Date: Mon Feb 7 14:44:56 2022 + aarch64: fix branch target indications in arm64cpuid.pl and keccak1600 Add missing AARCH64_VALID_CALL_TARGET to armv8_rng_probe(). Also add these to the functions defined by gen_random(), and note that this Perl sub prints the assembler out directly, not going via the $code xlate mechanism (and therefore coming before the include of arm_arch.h). So fix this too. In KeccakF1600_int, AARCH64_SIGN_LINK_REGISTER functions as AARCH64_VALID_CALL_TARGET on BTI-only builds, so it needs to come before the 'adr' line. Change-Id: If241efe71591c88253a3e36647ced00300c3c1a3 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17653) --- Summary of changes: crypto/arm64cpuid.pl | 9 ++--- crypto/sha/asm/keccak1600-armv8.pl | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/crypto/arm64cpuid.pl b/crypto/arm64cpuid.pl index ebea4be59c..3ba593a488 100755 --- a/crypto/arm64cpuid.pl +++ b/crypto/arm64cpuid.pl @@ -189,6 +189,7 @@ CRYPTO_memcmp: .globl _armv8_rng_probe .type _armv8_rng_probe,%function _armv8_rng_probe: + AARCH64_VALID_CALL_TARGET mrs x0, s3_3_c2_c4_0// rndr mrs x0, s3_3_c2_c4_1// rndrrs ret @@ -199,7 +200,7 @@ sub gen_random { my $rdop = shift; my $rand_reg = $rdop eq "rndr" ? "s3_3_c2_c4_0" : "s3_3_c2_c4_1"; -print<<___; +return <<___; // Fill buffer with Randomly Generated Bytes // inputs: char * in x0 - Pointer to buffer // size_t in x1 - Number of bytes to write to buffer @@ -208,6 +209,7 @@ print<<___; .type OPENSSL_${rdop}_asm,%function .align 4 OPENSSL_${rdop}_asm: + AARCH64_VALID_CALL_TARGET mov x2,xzr mov x3,xzr @@ -244,8 +246,9 @@ OPENSSL_${rdop}_asm: .size OPENSSL_${rdop}_asm,.-OPENSSL_${rdop}_asm ___ } -gen_random("rndr"); -gen_random("rndrrs"); + +$code .= gen_random("rndr"); +$code .= gen_random("rndrrs"); print $code; close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/sha/asm/keccak1600-armv8.pl b/crypto/sha/asm/keccak1600-armv8.pl index cf54b62c63..40f7aa7a69 100755 --- a/crypto/sha/asm/keccak1600-armv8.pl +++ b/crypto/sha/asm/keccak1600-armv8.pl @@ -126,8 +126,8 @@ $code.=<<___; .type KeccakF1600_int,%function .align 5 KeccakF1600_int: - adr $C[2],iotas AARCH64_SIGN_LINK_REGISTER + adr $C[2],iotas stp $C[2],x30,[sp,#16] // 32 bytes on top are mine b .Loop .align 4
Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DSgLC_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHXjqd9CfnR3RQcM1RdMQM-2BJjYpLSjtHDm8VANGajqz5216GLARHiM2LzVggogZm4Aocj-2B-2BLAKoM4aFPY7Al2cwPNsRa0Yu0xaZZm7WmNJS2pMoGrTsFv3J4kiyJNDs2K3nL4AKU8Oj7VIcy-2B0unbqH0xdnuhvE4F4-2FjJb60xD7vYe3GdANJcMRz8Xci2z3hHc-3D Build ID: 435761 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 828bbe3795c82fe060f823ff117a753e81fb48d3 (commit) from ebdec62c38494739d9cb4cdd6b1c4a511d169a90 (commit) - Log - commit 828bbe3795c82fe060f823ff117a753e81fb48d3 Author: Jiasheng Jiang Date: Sat Feb 5 19:31:11 2022 +0800 Add the check after calling OPENSSL_strdup Since the potential failure of the memory allocation, the OPENSSL_strdup() could return NULL pointer. Therefore, it should be better to check it in order to guarantee the success of the configuration, same as the check for SSL_CTX_set_srp_username(). Signed-off-by: Jiasheng Jiang Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17643) (cherry picked from commit 09030ee73693411c19b596cb0e0f43eb512ac0e6) --- Summary of changes: test/helpers/handshake_srp.c | 16 1 file changed, 16 insertions(+) diff --git a/test/helpers/handshake_srp.c b/test/helpers/handshake_srp.c index f18e5c81a6..11825d1dca 100644 --- a/test/helpers/handshake_srp.c +++ b/test/helpers/handshake_srp.c @@ -49,6 +49,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); +if (server_ctx_data->srp_user == NULL || server_ctx_data->srp_password == NULL) { +OPENSSL_free(server_ctx_data->srp_user); +OPENSSL_free(server_ctx_data->srp_password); +server_ctx_data->srp_user = NULL; +server_ctx_data->srp_password = NULL; +return 0; +} SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); } if (extra->server2.srp_user != NULL) { @@ -57,6 +64,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); +if (server2_ctx_data->srp_user == NULL || server2_ctx_data->srp_password == NULL) { +OPENSSL_free(server2_ctx_data->srp_user); +OPENSSL_free(server2_ctx_data->srp_password); +server2_ctx_data->srp_user = NULL; +server2_ctx_data->srp_password = NULL; +return 0; +} SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); } if (extra->client.srp_user != NULL) { @@ -65,6 +79,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, return 0; SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); +if (client_ctx_data->srp_password == NULL) +return 0; SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); } return 1;
[openssl] master update
The branch master has been updated via 09030ee73693411c19b596cb0e0f43eb512ac0e6 (commit) from 29af9fba64fd3e4e086808f2360501b463627ea2 (commit) - Log - commit 09030ee73693411c19b596cb0e0f43eb512ac0e6 Author: Jiasheng Jiang Date: Sat Feb 5 19:31:11 2022 +0800 Add the check after calling OPENSSL_strdup Since the potential failure of the memory allocation, the OPENSSL_strdup() could return NULL pointer. Therefore, it should be better to check it in order to guarantee the success of the configuration, same as the check for SSL_CTX_set_srp_username(). Signed-off-by: Jiasheng Jiang Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17643) --- Summary of changes: test/helpers/handshake_srp.c | 16 1 file changed, 16 insertions(+) diff --git a/test/helpers/handshake_srp.c b/test/helpers/handshake_srp.c index f18e5c81a6..11825d1dca 100644 --- a/test/helpers/handshake_srp.c +++ b/test/helpers/handshake_srp.c @@ -49,6 +49,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); +if (server_ctx_data->srp_user == NULL || server_ctx_data->srp_password == NULL) { +OPENSSL_free(server_ctx_data->srp_user); +OPENSSL_free(server_ctx_data->srp_password); +server_ctx_data->srp_user = NULL; +server_ctx_data->srp_password = NULL; +return 0; +} SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); } if (extra->server2.srp_user != NULL) { @@ -57,6 +64,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); +if (server2_ctx_data->srp_user == NULL || server2_ctx_data->srp_password == NULL) { +OPENSSL_free(server2_ctx_data->srp_user); +OPENSSL_free(server2_ctx_data->srp_password); +server2_ctx_data->srp_user = NULL; +server2_ctx_data->srp_password = NULL; +return 0; +} SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); } if (extra->client.srp_user != NULL) { @@ -65,6 +79,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, return 0; SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); +if (client_ctx_data->srp_password == NULL) +return 0; SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); } return 1;
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via ebdec62c38494739d9cb4cdd6b1c4a511d169a90 (commit) from e44b212bdce225fd2d7e2349a7f787e7c9ade4fd (commit) - Log - commit ebdec62c38494739d9cb4cdd6b1c4a511d169a90 Author: Matt Caswell Date: Mon Feb 7 10:32:08 2022 + Fix an enginetest failure when compiled with no-deprecated --api=1.1.1 Fixes #17649 Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17652) (cherry picked from commit 29af9fba64fd3e4e086808f2360501b463627ea2) --- Summary of changes: test/enginetest.c | 1 + 1 file changed, 1 insertion(+) diff --git a/test/enginetest.c b/test/enginetest.c index 04e61743a1..c00e1f82c4 100644 --- a/test/enginetest.c +++ b/test/enginetest.c @@ -24,6 +24,7 @@ # include # include # include +# include static void display_engine_list(void) {
[openssl] master update
The branch master has been updated via 29af9fba64fd3e4e086808f2360501b463627ea2 (commit) from 2a6994cfa08368a710d66caaae4fc07ad35631bf (commit) - Log - commit 29af9fba64fd3e4e086808f2360501b463627ea2 Author: Matt Caswell Date: Mon Feb 7 10:32:08 2022 + Fix an enginetest failure when compiled with no-deprecated --api=1.1.1 Fixes #17649 Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17652) --- Summary of changes: test/enginetest.c | 1 + 1 file changed, 1 insertion(+) diff --git a/test/enginetest.c b/test/enginetest.c index 04e61743a1..c00e1f82c4 100644 --- a/test/enginetest.c +++ b/test/enginetest.c @@ -24,6 +24,7 @@ # include # include # include +# include static void display_engine_list(void) {
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via e44b212bdce225fd2d7e2349a7f787e7c9ade4fd (commit) from 53234cb0f408bbfbb04ea0e12f1fc61feb2aa600 (commit) - Log - commit e44b212bdce225fd2d7e2349a7f787e7c9ade4fd Author: Daniel Date: Sun Feb 6 15:01:14 2022 +0100 Send auxiliary messages to bio_err. Fixes openssl#17613. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17650) (cherry picked from commit 2a6994cfa08368a710d66caaae4fc07ad35631bf) --- Summary of changes: apps/x509.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/x509.c b/apps/x509.c index 2880ae792a..c9c10c260e 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -706,9 +706,9 @@ int x509_main(int argc, char **argv) : "Certificate request self-signature did not match the contents\n"); goto end; } -BIO_printf(out, "Certificate request self-signature ok\n"); +BIO_printf(bio_err, "Certificate request self-signature ok\n"); -print_name(out, "subject=", X509_REQ_get_subject_name(req)); +print_name(bio_err, "subject=", X509_REQ_get_subject_name(req)); } else if (!x509toreq && ext_copy != EXT_COPY_UNSET) { BIO_printf(bio_err, "Warning: ignoring -copy_extensions since neither -x509toreq nor -req is given\n"); }
[openssl] master update
The branch master has been updated via 2a6994cfa08368a710d66caaae4fc07ad35631bf (commit) from aefbcde29166caf851cf388361d70fd0dcf17d87 (commit) - Log - commit 2a6994cfa08368a710d66caaae4fc07ad35631bf Author: Daniel Date: Sun Feb 6 15:01:14 2022 +0100 Send auxiliary messages to bio_err. Fixes openssl#17613. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17650) --- Summary of changes: apps/x509.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/x509.c b/apps/x509.c index 29dc74ca9e..f62f809a9c 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -711,9 +711,9 @@ int x509_main(int argc, char **argv) : "Certificate request self-signature did not match the contents\n"); goto err; } -BIO_printf(out, "Certificate request self-signature ok\n"); +BIO_printf(bio_err, "Certificate request self-signature ok\n"); -print_name(out, "subject=", X509_REQ_get_subject_name(req)); +print_name(bio_err, "subject=", X509_REQ_get_subject_name(req)); } else if (!x509toreq && ext_copy != EXT_COPY_UNSET) { BIO_printf(bio_err, "Warning: ignoring -copy_extensions since neither -x509toreq nor -req is given\n"); }
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 53234cb0f408bbfbb04ea0e12f1fc61feb2aa600 (commit) from db40ffab8dbf3ae0e932bb737ff787c6c1eb3ca2 (commit) - Log - commit 53234cb0f408bbfbb04ea0e12f1fc61feb2aa600 Author: Jiasheng Jiang Date: Sat Feb 5 18:00:51 2022 +0800 rsa: add check after calling BN_BLINDING_lock As the potential failure of getting lock, we need to check the return value of the BN_BLINDING_lock() in order to avoid the dirty data. Signed-off-by: Jiasheng Jiang Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17642) (cherry picked from commit aefbcde29166caf851cf388361d70fd0dcf17d87) --- Summary of changes: crypto/rsa/rsa_ossl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index c417a4b8f6..de4a580032 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -213,7 +213,9 @@ static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, */ int ret; -BN_BLINDING_lock(b); +if (!BN_BLINDING_lock(b)) +return 0; + ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); BN_BLINDING_unlock(b);
[openssl] master update
The branch master has been updated via aefbcde29166caf851cf388361d70fd0dcf17d87 (commit) from 14db620282bea38dc44479e562cf9bb61a716444 (commit) - Log - commit aefbcde29166caf851cf388361d70fd0dcf17d87 Author: Jiasheng Jiang Date: Sat Feb 5 18:00:51 2022 +0800 rsa: add check after calling BN_BLINDING_lock As the potential failure of getting lock, we need to check the return value of the BN_BLINDING_lock() in order to avoid the dirty data. Signed-off-by: Jiasheng Jiang Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17642) --- Summary of changes: crypto/rsa/rsa_ossl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index c417a4b8f6..de4a580032 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -213,7 +213,9 @@ static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, */ int ret; -BN_BLINDING_lock(b); +if (!BN_BLINDING_lock(b)) +return 0; + ret = BN_BLINDING_convert_ex(f, unblind, b, ctx); BN_BLINDING_unlock(b);
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via db40ffab8dbf3ae0e932bb737ff787c6c1eb3ca2 (commit) from 01d4f5cdd4125bd81878257ae357ff191bc31dd1 (commit) - Log - commit db40ffab8dbf3ae0e932bb737ff787c6c1eb3ca2 Author: Bernd Edlinger Date: Sun Jan 16 17:59:17 2022 +0100 Check for presence of 1.1.x openssl runtime if the newly loaded engine contains the symbol EVP_PKEY_base_id, we know it is linked to 1.1.x openssl. Abort loading this engine, as it will definitely crash. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17112) (cherry picked from commit 14db620282bea38dc44479e562cf9bb61a716444) --- Summary of changes: crypto/engine/eng_dyn.c | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c index c8a54f7d44..68b9ac311d 100644 --- a/crypto/engine/eng_dyn.c +++ b/crypto/engine/eng_dyn.c @@ -451,8 +451,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) * We fail if the version checker veto'd the load *or* if it is * deferring to us (by returning its version) and we think it is too * old. + * Unfortunately the version checker does not distinguish between + * engines built for openssl 1.1.x and openssl 3.x, but loading + * an engine that is built for openssl 1.1.x will cause a fatal + * error. Detect such engines, since EVP_PKEY_base_id is exported + * as a function in openssl 1.1.x, while it is a macro in openssl 3.x, + * and therefore only the symbol EVP_PKEY_get_base_id is available + * in openssl 3.x. */ -if (vcheck_res < OSSL_DYNAMIC_OLDEST) { +if (vcheck_res < OSSL_DYNAMIC_OLDEST +|| DSO_bind_func(ctx->dynamic_dso, + "EVP_PKEY_base_id") != NULL) { /* Fail */ ctx->bind_engine = NULL; ctx->v_check = NULL;
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 01d4f5cdd4125bd81878257ae357ff191bc31dd1 (commit) from d7975674e5aaded44a6845d3d1beac08477a22ad (commit) - Log - commit 01d4f5cdd4125bd81878257ae357ff191bc31dd1 Author: Bernd Edlinger Date: Mon Nov 22 21:50:04 2021 +0100 Prevent crash with engine using different openssl runtime This problem happens usually because an application links libcrypto and/or libssl statically which installs an atexit handler, but later an engine using a shared instance of libcrypto is installed. The problem is in simple words that both instances of libcrypto have an atexit handler installed, but both are unable to coordinate with each other, which causes a crash, typically a use-after-free in the engine's destroy function. Work around that by preventing the engine's libcrypto to install the atexit handler. This may result in a small memory leak, but that memory is still reachable. Fixes #15898 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17112) (cherry picked from commit 9362a1b32b7330e24d3bca230b412557caea095b) --- Summary of changes: include/openssl/engine.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/openssl/engine.h b/include/openssl/engine.h index 25c3cf7c19..70c856a9cd 100644 --- a/include/openssl/engine.h +++ b/include/openssl/engine.h @@ -801,6 +801,7 @@ typedef int (*dynamic_bind_engine) (ENGINE *e, const char *id, CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \ fns->mem_fns.realloc_fn, \ fns->mem_fns.free_fn); \ +OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL); \ skip_cbs: \ if (!fn(e, id)) return 0; \ return 1; }
[openssl] master update
The branch master has been updated via 14db620282bea38dc44479e562cf9bb61a716444 (commit) via 9362a1b32b7330e24d3bca230b412557caea095b (commit) from eafd3e9d07e99583a1439bb027e4d6af43e2df27 (commit) - Log - commit 14db620282bea38dc44479e562cf9bb61a716444 Author: Bernd Edlinger Date: Sun Jan 16 17:59:17 2022 +0100 Check for presence of 1.1.x openssl runtime if the newly loaded engine contains the symbol EVP_PKEY_base_id, we know it is linked to 1.1.x openssl. Abort loading this engine, as it will definitely crash. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17112) commit 9362a1b32b7330e24d3bca230b412557caea095b Author: Bernd Edlinger Date: Mon Nov 22 21:50:04 2021 +0100 Prevent crash with engine using different openssl runtime This problem happens usually because an application links libcrypto and/or libssl statically which installs an atexit handler, but later an engine using a shared instance of libcrypto is installed. The problem is in simple words that both instances of libcrypto have an atexit handler installed, but both are unable to coordinate with each other, which causes a crash, typically a use-after-free in the engine's destroy function. Work around that by preventing the engine's libcrypto to install the atexit handler. This may result in a small memory leak, but that memory is still reachable. Fixes #15898 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17112) --- Summary of changes: crypto/engine/eng_dyn.c | 11 ++- include/openssl/engine.h | 1 + 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c index c8a54f7d44..68b9ac311d 100644 --- a/crypto/engine/eng_dyn.c +++ b/crypto/engine/eng_dyn.c @@ -451,8 +451,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) * We fail if the version checker veto'd the load *or* if it is * deferring to us (by returning its version) and we think it is too * old. + * Unfortunately the version checker does not distinguish between + * engines built for openssl 1.1.x and openssl 3.x, but loading + * an engine that is built for openssl 1.1.x will cause a fatal + * error. Detect such engines, since EVP_PKEY_base_id is exported + * as a function in openssl 1.1.x, while it is a macro in openssl 3.x, + * and therefore only the symbol EVP_PKEY_get_base_id is available + * in openssl 3.x. */ -if (vcheck_res < OSSL_DYNAMIC_OLDEST) { +if (vcheck_res < OSSL_DYNAMIC_OLDEST +|| DSO_bind_func(ctx->dynamic_dso, + "EVP_PKEY_base_id") != NULL) { /* Fail */ ctx->bind_engine = NULL; ctx->v_check = NULL; diff --git a/include/openssl/engine.h b/include/openssl/engine.h index 25c3cf7c19..70c856a9cd 100644 --- a/include/openssl/engine.h +++ b/include/openssl/engine.h @@ -801,6 +801,7 @@ typedef int (*dynamic_bind_engine) (ENGINE *e, const char *id, CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \ fns->mem_fns.realloc_fn, \ fns->mem_fns.free_fn); \ +OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL); \ skip_cbs: \ if (!fn(e, id)) return 0; \ return 1; }