Parcourir la source

OpenSSL: Initialise PKCS#11 engine even if found with ENGINE_by_id()

Recent versions of engine_pkcs11 are set up to be autoloaded on demand
with ENGINE_by_id() because they don't need explicit configuration.

But if we *do* want to explicitly configure them with a PKCS#11 module
path, we should still do so.

We can't tell whether it was already initialised, but it's harmless to
repeat the MODULE_PATH command if it was.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Michael Schaller <misch@google.com>
David Woodhouse il y a 8 ans
Parent
commit
c3d7fb7e27
1 fichiers modifiés avec 9 ajouts et 3 suppressions
  1. 9 3
      src/crypto/tls_openssl.c

+ 9 - 3
src/crypto/tls_openssl.c

@@ -729,10 +729,16 @@ static int tls_engine_load_dynamic_generic(const char *pre[],
 
 	engine = ENGINE_by_id(id);
 	if (engine) {
-		ENGINE_free(engine);
 		wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "
 			   "available", id);
-		return 0;
+		/*
+		 * If it was auto-loaded by ENGINE_by_id() we might still
+		 * need to tell it which PKCS#11 module to use in legacy
+		 * (non-p11-kit) environments. Do so now; even if it was
+		 * properly initialised before, setting it again will be
+		 * harmless.
+		 */
+		goto found;
 	}
 	ERR_clear_error();
 
@@ -769,7 +775,7 @@ static int tls_engine_load_dynamic_generic(const char *pre[],
 			   id, ERR_error_string(ERR_get_error(), NULL));
 		return -1;
 	}
-
+ found:
 	while (post && post[0]) {
 		wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", post[0], post[1]);
 		if (ENGINE_ctrl_cmd_string(engine, post[0], post[1], 0) == 0) {