Check for presence of 3.x openssl runtime

if the newly loaded engine contains the symbol
EVP_PKEY_get_base_id, we know it is linked to 3.x openssl.
Abort loading this engine, as it will definitely crash.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17541)

1 files changed, 10 insertions, 1 deletions

diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index 87c762edb8..b2c34b8da4 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -443,8 +443,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
          * We fail if the version checker veto'd the load *or* if it is
          * deferring to us (by returning its version) and we think it is too
          * old.
+         * Unfortunately the version checker does not distinguish between
+         * engines built for openssl 1.1.x and openssl 3.x, but loading
+         * an engine that is built for openssl 3.x will cause a fatal
+         * error.  Detect such engines, since EVP_PKEY_get_base_id is exported
+         * as a function in openssl 3.x, while it is named EVP_PKEY_base_id
+         * in openssl 1.1.x.  Therefore we take the presence of that symbol
+         * as an indication that the engine will be incompatible.
          */
-        if (vcheck_res < OSSL_DYNAMIC_OLDEST) {
+        if (vcheck_res < OSSL_DYNAMIC_OLDEST
+                || DSO_bind_func(ctx->dynamic_dso,
+                                 "EVP_PKEY_get_base_id") != NULL) {
             /* Fail */
             ctx->bind_engine = NULL;
             ctx->v_check = NULL;