[openssl] OpenSSL_1_1_1-stable update

bernd.edlinger at hotmail.de bernd.edlinger at hotmail.de
Wed Feb 9 16:08:53 UTC 2022


The branch OpenSSL_1_1_1-stable has been updated
       via  0418e993c717a6863f206feaa40673a261de7395 (commit)
       via  38ac4415a9cc4cca307c866e5fc548b889fe2bb6 (commit)
      from  8aa353679f0ad72f478a4800c22ad30f6b972370 (commit)


- Log -----------------------------------------------------------------
commit 0418e993c717a6863f206feaa40673a261de7395
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Sun Jan 16 17:59:17 2022 +0100

    Check for presence of 3.x openssl runtime
    
    if the newly loaded engine contains the symbol
    EVP_PKEY_get_base_id, we know it is linked to 3.x openssl.
    Abort loading this engine, as it will definitely crash.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17541)

commit 38ac4415a9cc4cca307c866e5fc548b889fe2bb6
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Mon Nov 22 21:50:04 2021 +0100

    Prevent crash with engine using different openssl runtime
    
    This problem happens usually because an application
    links libcrypto and/or libssl statically which
    installs an atexit handler, but later an engine using
    a shared instance of libcrypto is installed.
    The problem is in simple words that both instances
    of libcrypto have an atexit handler installed,
    but both are unable to coordinate with each other,
    which causes a crash, typically a use-after-free
    in the engine's destroy function.
    
    Work around that by preventing the engine's
    libcrypto to install the atexit handler.
    This may result in a small memory leak, but that
    memory is still reachable.
    
    Fixes #15898
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17541)

-----------------------------------------------------------------------

Summary of changes:
 crypto/engine/eng_dyn.c  | 11 ++++++++++-
 include/openssl/engine.h |  1 +
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index 87c762edb8..b2c34b8da4 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -443,8 +443,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
          * We fail if the version checker veto'd the load *or* if it is
          * deferring to us (by returning its version) and we think it is too
          * old.
+         * Unfortunately the version checker does not distinguish between
+         * engines built for openssl 1.1.x and openssl 3.x, but loading
+         * an engine that is built for openssl 3.x will cause a fatal
+         * error.  Detect such engines, since EVP_PKEY_get_base_id is exported
+         * as a function in openssl 3.x, while it is named EVP_PKEY_base_id
+         * in openssl 1.1.x.  Therefore we take the presence of that symbol
+         * as an indication that the engine will be incompatible.
          */
-        if (vcheck_res < OSSL_DYNAMIC_OLDEST) {
+        if (vcheck_res < OSSL_DYNAMIC_OLDEST
+                || DSO_bind_func(ctx->dynamic_dso,
+                                 "EVP_PKEY_get_base_id") != NULL) {
             /* Fail */
             ctx->bind_engine = NULL;
             ctx->v_check = NULL;
diff --git a/include/openssl/engine.h b/include/openssl/engine.h
index 0780f0fb5f..756751c6d3 100644
--- a/include/openssl/engine.h
+++ b/include/openssl/engine.h
@@ -722,6 +722,7 @@ typedef int (*dynamic_bind_engine) (ENGINE *e, const char *id,
             CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \
                                      fns->mem_fns.realloc_fn, \
                                      fns->mem_fns.free_fn); \
+            OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL); \
         skip_cbs: \
             if (!fn(e, id)) return 0; \
             return 1; }


More information about the openssl-commits mailing list