Skip to content

Add configure option and code to disable OpenSSL engines #781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jschlyter merged 1 commit into from
Jan 29, 2025
Merged

Add configure option and code to disable OpenSSL engines #781

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions m4/acx_crypto_backend.m4
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,16 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
AC_MSG_RESULT(no)
fi

# Option to disable usage engines

AC_ARG_ENABLE(openssl-engines,
AS_HELP_STRING([--disable-openssl-engines],
[Disable OpenSSL engines usage]
),
[enable_openssl_engines="${enableval}"],
[enable_openssl_engines="yes"]
)

# Then check what crypto library we want to use

AC_ARG_WITH(crypto-backend,
Expand Down Expand Up @@ -105,6 +115,22 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
ACX_OPENSSL_EVPAESWRAP
fi

AC_MSG_CHECKING(for OpenSSL engines support)
if test "x${enable_openssl_engines}" = "xyes"; then
ACX_OPENSSL_ENGINES
if test "x${have_lib_openssl_engines_support}" = "xyes"; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
AC_DEFINE_UNQUOTED([WITHOUT_OPENSSL_ENGINES], [1],
[Compile without OpenSSL engines support as it is unavailable])
fi
else
AC_MSG_RESULT([disabled])
AC_DEFINE([WITHOUT_OPENSSL_ENGINES], [1],
[Compile without OpenSSL engines support as it is disabled])
fi

AC_DEFINE_UNQUOTED(
[WITH_RAW_PSS],
[1],
Expand Down
35 changes: 35 additions & 0 deletions m4/acx_openssl_engines.m4
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
AC_DEFUN([ACX_OPENSSL_ENGINES], [

tmp_CPPFLAGS=$CPPFLAGS
tmp_LIBS=$LIBS

CPPFLAGS="$CPPFLAGS $CRYPTO_INCLUDES"
LIBS="$CRYPTO_LIBS $LIBS"

AC_LANG_PUSH([C])
AC_CACHE_VAL([acx_cv_lib_openssl_engines_support], [
acx_cv_lib_openssl_engines_support=no
AC_COMPILE_IFELSE([
AC_LANG_SOURCE([[
#include <openssl/engine.h>
#ifdef OPENSSL_NO_ENGINE
#error "Engines are disabled"
#endif
int main() {
ENGINE_load_builtin_engines();
return 0;
}
]])
], [
acx_cv_lib_openssl_engines_support=yes
], [
acx_cv_lib_openssl_engines_support=no
])
])
AC_LANG_POP([C])

CPPFLAGS=$tmp_CPPFLAGS
LIBS=$tmp_LIBS

have_lib_openssl_engines_support="${acx_cv_lib_openssl_engines_support}"
])
8 changes: 6 additions & 2 deletions src/lib/crypto/OSSLCryptoFactory.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ OSSLCryptoFactory::OSSLCryptoFactory()
// Initialise OpenSSL
OpenSSL_add_all_algorithms();

#ifdef WITH_ENGINES
#if !( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
// Make sure RDRAND is loaded first
ENGINE_load_rdrand();
Expand All @@ -161,11 +162,12 @@ OSSLCryptoFactory::OSSLCryptoFactory()
WARNING_MSG("ENGINE_set_default returned %lu\n", ERR_get_error());
}
}
#endif

// Initialise the one-and-only RNG
rng = new OSSLRNG();

#ifdef WITH_GOST
#if defined(WITH_ENGINES) && defined(WITH_GOST)
// Load engines
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
ENGINE_load_builtin_engines();
Expand Down Expand Up @@ -228,7 +230,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory()
{
bool ossl_shutdown = false;

#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
#if defined(WITH_ENGINES) && OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
// OpenSSL 1.1.0+ will register an atexit() handler to run
// OPENSSL_cleanup(). If that has already happened we must
// not attempt to free any ENGINEs because they'll already
Expand All @@ -243,6 +245,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory()
#endif
if (!ossl_shutdown)
{
#ifdef WITH_ENGINES
#ifdef WITH_GOST
// Finish the GOST engine
if (eg != NULL)
Expand All @@ -257,6 +260,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory()
ENGINE_finish(rdrand_engine);
ENGINE_free(rdrand_engine);
rdrand_engine = NULL;
#endif

// Recycle locks
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
Expand Down
7 changes: 7 additions & 0 deletions src/lib/crypto/OSSLCryptoFactory.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,11 @@
#include "RNG.h"
#include <memory>
#include <openssl/conf.h>
#if !defined(WITHOUT_OPENSSL_ENGINES) && !defined(OPENSSL_NO_ENGINES)
#define WITH_ENGINES 1
#include <openssl/engine.h>
#endif


class OSSLCryptoFactory : public CryptoFactory
{
Expand Down Expand Up @@ -103,13 +107,16 @@ class OSSLCryptoFactory : public CryptoFactory

// The one-and-only RNG instance
RNG* rng;

#ifdef WITH_ENGINES
// And RDRAND engine to use with it
ENGINE *rdrand_engine;

#ifdef WITH_GOST
// The GOST engine
ENGINE *eg;
#endif
#endif
};

#endif // !_SOFTHSM_V2_OSSLCRYPTOFACTORY_H
Expand Down
Loading