[openssl] openssl-3.0 update

bernd.edlinger at hotmail.de bernd.edlinger at hotmail.de
Tue Feb 8 12:29:02 UTC 2022 

The branch openssl-3.0 has been updated
       via  db40ffab8dbf3ae0e932bb737ff787c6c1eb3ca2 (commit)
      from  01d4f5cdd4125bd81878257ae357ff191bc31dd1 (commit)


- Log -----------------------------------------------------------------
commit db40ffab8dbf3ae0e932bb737ff787c6c1eb3ca2
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Sun Jan 16 17:59:17 2022 +0100

    Check for presence of 1.1.x openssl runtime
    
    if the newly loaded engine contains the symbol
    EVP_PKEY_base_id, we know it is linked to 1.1.x openssl.
    Abort loading this engine, as it will definitely crash.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17112)
    
    (cherry picked from commit 14db620282bea38dc44479e562cf9bb61a716444)

-----------------------------------------------------------------------

Summary of changes:
 crypto/engine/eng_dyn.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index c8a54f7d44..68b9ac311d 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -451,8 +451,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
          * We fail if the version checker veto'd the load *or* if it is
          * deferring to us (by returning its version) and we think it is too
          * old.
+         * Unfortunately the version checker does not distinguish between
+         * engines built for openssl 1.1.x and openssl 3.x, but loading
+         * an engine that is built for openssl 1.1.x will cause a fatal
+         * error.  Detect such engines, since EVP_PKEY_base_id is exported
+         * as a function in openssl 1.1.x, while it is a macro in openssl 3.x,
+         * and therefore only the symbol EVP_PKEY_get_base_id is available
+         * in openssl 3.x.
          */
-        if (vcheck_res < OSSL_DYNAMIC_OLDEST) {
+        if (vcheck_res < OSSL_DYNAMIC_OLDEST
+                || DSO_bind_func(ctx->dynamic_dso,
+                                 "EVP_PKEY_base_id") != NULL) {
             /* Fail */
             ctx->bind_engine = NULL;
             ctx->v_check = NULL;

More information about the openssl-commits mailing list