OpenSSL: Initialise PKCS#11 engine even if found with ENGINE_by_id()

Recent versions of engine_pkcs11 are set up to be autoloaded on demand with ENGINE_by_id() because they don't need explicit configuration. But if we *do* want to explicitly configure them with a PKCS#11 module path, we should still do so. We can't tell whether it was already initialised, but it's harmless to repeat the MODULE_PATH command if it was. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Michael Schaller <misch@google.com>
2016-06-08 21:03:40 +01:00 · 2016-06-08 21:03:40 +01:00 · c3d7fb7e27
commit c3d7fb7e27
parent fdc1188a85
1 changed files with 9 additions and 3 deletions
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -729,10 +729,16 @@ static int tls_engine_load_dynamic_generic(const char *pre[],

 	engine = ENGINE_by_id(id);
 	if (engine) {
-		ENGINE_free(engine);
 		wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "
 			   "available", id);
-		return 0;
+		/*
+		 * If it was auto-loaded by ENGINE_by_id() we might still
+		 * need to tell it which PKCS#11 module to use in legacy
+		 * (non-p11-kit) environments. Do so now; even if it was
+		 * properly initialised before, setting it again will be
+		 * harmless.
+		 */
+		goto found;
 	}
 	ERR_clear_error();

@ -769,7 +775,7 @@ static int tls_engine_load_dynamic_generic(const char *pre[],
 			   id, ERR_error_string(ERR_get_error(), NULL));
 		return -1;
 	}
-
+ found:
 	while (post && post[0]) {
 		wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", post[0], post[1]);
 		if (ENGINE_ctrl_cmd_string(engine, post[0], post[1], 0) == 0) {