Disable custom EVP_PKEY methods in provider mode

olszomal · olszomal · commit 6a597005b5e7 · 2026-03-19T14:58:23.000+01:00
diff --git a/src/eng_back.c b/src/eng_back.c
@@ -96,7 +96,7 @@ ENGINE_CTX *ENGINE_CTX_new(void)
 	if (!ctx)
 		return NULL;
 	memset(ctx, 0, sizeof(ENGINE_CTX));
-	ctx->util_ctx = UTIL_CTX_new();
+	ctx->util_ctx = UTIL_CTX_new(0);
 	if (!ctx->util_ctx) {
 		OPENSSL_free(ctx);
 		return NULL;
diff --git a/src/libp11-int.h b/src/libp11-int.h
@@ -56,6 +56,7 @@ typedef struct pkcs11_object_ops PKCS11_OBJECT_ops;
  * PKCS11_CTX: context for a PKCS11 implementation
  */
 struct pkcs11_ctx_private {
+	int flags;
 	CK_FUNCTION_LIST_PTR method;
 	void *handle;
 	char *init_args;
@@ -213,7 +214,7 @@ extern void pkcs11_zap_attrs(PKCS11_TEMPLATE *);
 extern int pkcs11_atomic_add(int *, int, pthread_mutex_t *);
 
 /* Allocate the context */
-extern PKCS11_CTX *pkcs11_CTX_new(void);
+extern PKCS11_CTX *pkcs11_CTX_new(int flags);
 
 /* Specify any private PKCS#11 module initialization args, if necessary */
 extern void pkcs11_CTX_init_args(PKCS11_CTX *ctx, const char *init_args);
diff --git a/src/libp11.exports b/src/libp11.exports
@@ -1,4 +1,5 @@
 PKCS11_CTX_init_args
+PKCS11_CTX_new_ex
 PKCS11_CTX_new
 PKCS11_CTX_load
 PKCS11_CTX_unload
diff --git a/src/libp11.h b/src/libp11.h
@@ -38,6 +38,8 @@
 extern "C" {
 #endif
 
+#define PKCS11_FLAG_NO_METHODS 1
+
 int ERR_load_CKR_strings(void);
 void ERR_unload_CKR_strings(void);
 void ERR_CKR_error(int function, int reason, char *file, int line);
@@ -145,6 +147,14 @@ typedef struct PKCS11_kgen_attrs_st {
 /** PKCS11 ASCII logging callback */
 typedef void (*PKCS11_VLOG_A_CB)(int, const char *, va_list);
 
+/**
+ * Create a new libp11 context with specified flags
+ *
+ * This should be the first function called in the use of libp11
+ * @return an allocated context
+ */
+extern PKCS11_CTX *PKCS11_CTX_new_ex(int flags);
+
 /**
  * Create a new libp11 context
  *
diff --git a/src/p11_eddsa.c b/src/p11_eddsa.c
@@ -593,24 +593,22 @@ static EVP_PKEY *pkcs11_get_evp_key_ed25519(PKCS11_OBJECT_private *key)
 	if (!pkey)
 		return NULL;
 
-	if (key->object_class == CKO_PRIVATE_KEY) {
 #if OPENSSL_VERSION_NUMBER < 0x40000000L
-		/* global initialize ED25519 EVP_PKEY_METHOD */
-		if (!pkcs11_ed25519_method_new()) {
-			EVP_PKEY_free(pkey);
-			return NULL;
+	if (key->object_class == CKO_PRIVATE_KEY) {
+		if ((key->slot->ctx->flags & PKCS11_FLAG_NO_METHODS) == 0) {
+			/* global initialize ED25519 EVP_PKEY_METHOD */
+			if (!pkcs11_ed25519_method_new()) {
+				EVP_PKEY_free(pkey);
+				return NULL;
+			}
+			/* creates a new EVP_PKEY object which requires its own key object reference */
+			key = pkcs11_object_ref(key);
+			alloc_pkey_ex_index();
+			pkcs11_set_ex_data_pkey(pkey, key);
+			atexit(pkcs11_ed25519_method_free);
 		}
-#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
-
-		/* creates a new EVP_PKEY object which requires its own key object reference */
-		key = pkcs11_object_ref(key);
-
-#if OPENSSL_VERSION_NUMBER < 0x40000000L
-		alloc_pkey_ex_index();
-		pkcs11_set_ex_data_pkey(pkey, key);
-		atexit(pkcs11_ed25519_method_free);
-#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 	}
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 	return pkey;
 }
 
@@ -630,24 +628,22 @@ static EVP_PKEY *pkcs11_get_evp_key_ed448(PKCS11_OBJECT_private *key)
 	if (!pkey)
 		return NULL;
 
-	if (key->object_class == CKO_PRIVATE_KEY) {
 #if OPENSSL_VERSION_NUMBER < 0x40000000L
-		/* global initialize ED448 EVP_PKEY_METHOD */
-		if (!pkcs11_ed448_method_new()) {
-			EVP_PKEY_free(pkey);
-			return NULL;
+	if (key->object_class == CKO_PRIVATE_KEY) {
+		if ((key->slot->ctx->flags & PKCS11_FLAG_NO_METHODS) == 0) {
+			/* global initialize ED448 EVP_PKEY_METHOD */
+			if (!pkcs11_ed448_method_new()) {
+				EVP_PKEY_free(pkey);
+				return NULL;
+			}
+			/* create a new EVP_PKEY object which requires its own key object reference */
+			key = pkcs11_object_ref(key);
+			alloc_pkey_ex_index();
+			pkcs11_set_ex_data_pkey(pkey, key);
+			atexit(pkcs11_ed25519_method_free);
 		}
-#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
-
-		/* create a new EVP_PKEY object which requires its own key object reference */
-		key = pkcs11_object_ref(key);
-
-#if OPENSSL_VERSION_NUMBER < 0x40000000L
-		alloc_pkey_ex_index();
-		pkcs11_set_ex_data_pkey(pkey, key);
-		atexit(pkcs11_ed448_method_free);
-#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 	}
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 	return pkey;
 }
 
diff --git a/src/p11_front.c b/src/p11_front.c
@@ -32,9 +32,14 @@
 
 /* External interface to the libp11 features */
 
+PKCS11_CTX *PKCS11_CTX_new_ex(int flags)
+{
+	return pkcs11_CTX_new(flags);
+}
+
 PKCS11_CTX *PKCS11_CTX_new(void)
 {
-	return pkcs11_CTX_new();
+	return pkcs11_CTX_new(0);
 }
 
 void PKCS11_CTX_init_args(PKCS11_CTX *ctx, const char *init_args)
diff --git a/src/p11_load.c b/src/p11_load.c
@@ -26,7 +26,7 @@ int pkcs11_global_data_refs = 0;
 /*
  * Create a new context
  */
-PKCS11_CTX *pkcs11_CTX_new(void)
+PKCS11_CTX *pkcs11_CTX_new(int flags)
 {
 	PKCS11_CTX_private *cpriv = NULL;
 	PKCS11_CTX *ctx = NULL;
@@ -38,6 +38,7 @@ PKCS11_CTX *pkcs11_CTX_new(void)
 	if (!cpriv)
 		goto fail;
 	memset(cpriv, 0, sizeof(PKCS11_CTX_private));
+	cpriv->flags = flags;
 	ctx = OPENSSL_malloc(sizeof(PKCS11_CTX));
 	if (!ctx)
 		goto fail;
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
@@ -342,22 +342,20 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_OBJECT_private *key)
 	}
 	if (key->object_class == CKO_PRIVATE_KEY) {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
-		/* global initialize RSA EVP_PKEY_METHOD */
-		if (!pkcs11_pkey_method_rsa_new()) {
-			EVP_PKEY_free(pk);
-			return NULL;
+                if ((key->slot->ctx->flags & PKCS11_FLAG_NO_METHODS) == 0) {
+			/* global initialize RSA EVP_PKEY_METHOD */
+			if (!pkcs11_pkey_method_rsa_new()) {
+				EVP_PKEY_free(pk);
+				return NULL;
+			}
+			/* creates a new EVP_PKEY object which requires its own key object reference */
+			key = pkcs11_object_ref(key);
+			alloc_pkey_ex_index();
+			pkcs11_set_ex_data_pkey(pk, key);
+			atexit(pkcs11_rsa_key_method_free);
 		}
 #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L */
 
-		/* creates a new EVP_PKEY object which requires its own key object reference */
-		key = pkcs11_object_ref(key);
-
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
-		alloc_pkey_ex_index();
-		pkcs11_set_ex_data_pkey(pk, key);
-		atexit(pkcs11_rsa_key_method_free);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L */
-
 		RSA_set_method(rsa, PKCS11_get_rsa_method());
 #if OPENSSL_VERSION_NUMBER >= 0x10100005L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3050000fL )
 		RSA_set_flags(rsa, RSA_FLAG_EXT_PKEY);
diff --git a/src/provider_helpers.c b/src/provider_helpers.c
@@ -168,7 +168,7 @@ PROVIDER_CTX *PROVIDER_CTX_new(void)
 	if (!prov_ctx)
 		return NULL;
 
-	prov_ctx->util_ctx = UTIL_CTX_new();
+	prov_ctx->util_ctx = UTIL_CTX_new(PKCS11_FLAG_NO_METHODS);
 	if (!prov_ctx->util_ctx) {
 		OPENSSL_free(prov_ctx);
 		return NULL;
diff --git a/src/util.h b/src/util.h
@@ -53,7 +53,7 @@
 /* defined in util_uri.c */
 typedef struct util_ctx_st UTIL_CTX; /* opaque */
 
-UTIL_CTX *UTIL_CTX_new(void);
+UTIL_CTX *UTIL_CTX_new(int flags);
 void UTIL_CTX_free(UTIL_CTX *ctx);
 int UTIL_CTX_set_module(UTIL_CTX *ctx, const char *module);
 int UTIL_CTX_set_init_args(UTIL_CTX *ctx, const char *init_args);
diff --git a/src/util_uri.c b/src/util_uri.c
@@ -48,6 +48,7 @@
 
 struct util_ctx_st {
 	/* Configuration */
+	int flags;
 	char *module;
 	char *init_args;
 	UI_METHOD *ui_method;
@@ -81,7 +82,7 @@ static int g_shutdown_mode = 0;
 /* Initialization                                                             */
 /******************************************************************************/
 
-UTIL_CTX *UTIL_CTX_new(void)
+UTIL_CTX *UTIL_CTX_new(int flags)
 {
 	UTIL_CTX *ctx = OPENSSL_malloc(sizeof(UTIL_CTX));
 
@@ -90,6 +91,7 @@ UTIL_CTX *UTIL_CTX_new(void)
 
 	memset(ctx, 0, sizeof(UTIL_CTX));
 	pthread_mutex_init(&ctx->lock, 0);
+	ctx->flags = flags;
 	return ctx;
 }
 
@@ -165,7 +167,7 @@ static int util_ctx_init_libp11(UTIL_CTX *ctx)
 
 	UTIL_CTX_log(ctx, LOG_NOTICE, "PKCS#11: Initializing the module: %s\n", ctx->module);
 
-	ctx->pkcs11_ctx = PKCS11_CTX_new();
+	ctx->pkcs11_ctx = PKCS11_CTX_new_ex(ctx->flags);
 	if (!ctx->pkcs11_ctx)
 		return -1;
 	PKCS11_set_vlog_a_method(ctx->pkcs11_ctx, ctx->vlog);

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`PKCS11_CTX_init_args`
	`2`	`+PKCS11_CTX_new_ex`
`2`	`3`	`PKCS11_CTX_new`
`3`	`4`	`PKCS11_CTX_load`
`4`	`5`	`PKCS11_CTX_unload`
Original file line number	Diff line number	Diff line change
`@@ -32,9 +32,14 @@`
`32`	`32`
`33`	`33`	`/* External interface to the libp11 features */`
`34`	`34`
	`35`	`+PKCS11_CTX *PKCS11_CTX_new_ex(int flags)`
	`36`	`+{`
	`37`	`+ return pkcs11_CTX_new(flags);`
	`38`	`+}`
	`39`	`+`
`35`	`40`	`PKCS11_CTX *PKCS11_CTX_new(void)`
`36`	`41`	`{`
`37`		`- return pkcs11_CTX_new();`
	`42`	`+ return pkcs11_CTX_new(0);`
`38`	`43`	`}`
`39`	`44`
`40`	`45`	`void PKCS11_CTX_init_args(PKCS11_CTX ctx, const char init_args)`