[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Rich Salz rsalz at openssl.org
Wed Sep 28 16:01:30 UTC 2016

The branch OpenSSL_1_0_2-stable has been updated
       via  4badd2b3c29c2c6c551c737c07a429a53d9d1a0d (commit)
      from  9702bf5fa269eea8eb3d8bad13cc11fc58fb7e8e (commit)

- Log -----------------------------------------------------------------
commit 4badd2b3c29c2c6c551c737c07a429a53d9d1a0d
Author: David Woodhouse <David.Woodhouse at intel.com>
Date:   Wed Sep 28 14:31:22 2016 +0100

    Call ENGINE_init() before trying to use keys from engine
    Things like 'openssl s_client' only ever worked with keys from an engine
    which provided a default generic method for some key type — because it
    called ENGINE_set_default() and that ended up being an implicit
    initialisation and functional refcount.
    But an engine which doesn't provide generic methods doesn't get
    initialised, and then when you try to use it you get an error:
    cannot load client certificate private key file from engine
    140688147056384:error:26096075:engine routines:ENGINE_load_private_key:not initialised:crypto/engine/eng_pkey.c:66:
    unable to load client certificate private key file
    cf. https://github.com/OpenSC/libp11/issues/107 (in which we discover
    that engine_pkcs11 *used* to provide generic methods that OpenSSL would
    try to use for ephemeral DH keys when negotiating ECDHE cipher suites in
    TLS, and that didn't work out very well.)
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/1640)


Summary of changes:
 apps/apps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/apps.c b/apps/apps.c
index 9fdc3e0..40401c1 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1553,7 +1553,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug)
             ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, err, 0);
         ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
-        if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+        if (!ENGINE_init(e) || !ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
             BIO_printf(err, "can't use that engine\n");

More information about the openssl-commits mailing list