diff options
author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2022-01-16 17:59:17 +0100 |
---|---|---|
committer | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2022-02-08 13:28:52 +0100 |
commit | db40ffab8dbf3ae0e932bb737ff787c6c1eb3ca2 (patch) | |
tree | bb462b2e7883047a995c9e653cd32894f1316855 | |
parent | 01d4f5cdd4125bd81878257ae357ff191bc31dd1 (diff) |
Check for presence of 1.1.x openssl runtime
if the newly loaded engine contains the symbol
EVP_PKEY_base_id, we know it is linked to 1.1.x openssl.
Abort loading this engine, as it will definitely crash.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17112)
(cherry picked from commit 14db620282bea38dc44479e562cf9bb61a716444)
-rw-r--r-- | crypto/engine/eng_dyn.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c index c8a54f7d44..68b9ac311d 100644 --- a/crypto/engine/eng_dyn.c +++ b/crypto/engine/eng_dyn.c @@ -451,8 +451,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) * We fail if the version checker veto'd the load *or* if it is * deferring to us (by returning its version) and we think it is too * old. + * Unfortunately the version checker does not distinguish between + * engines built for openssl 1.1.x and openssl 3.x, but loading + * an engine that is built for openssl 1.1.x will cause a fatal + * error. Detect such engines, since EVP_PKEY_base_id is exported + * as a function in openssl 1.1.x, while it is a macro in openssl 3.x, + * and therefore only the symbol EVP_PKEY_get_base_id is available + * in openssl 3.x. */ - if (vcheck_res < OSSL_DYNAMIC_OLDEST) { + if (vcheck_res < OSSL_DYNAMIC_OLDEST + || DSO_bind_func(ctx->dynamic_dso, + "EVP_PKEY_base_id") != NULL) { /* Fail */ ctx->bind_engine = NULL; ctx->v_check = NULL; |