Skip to content

Commit

Permalink
Merge pull request #234 from ellert/myproxy-no-engine
Browse files Browse the repository at this point in the history
Make OpenSSL engine optional
  • Loading branch information
ellert authored Nov 3, 2024
2 parents b10f3a9 + 1ee8700 commit b471994
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 2 deletions.
12 changes: 12 additions & 0 deletions myproxy/source/certauth_extensions.c
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
*/

#include "myproxy_common.h"
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
#include <openssl/ui.h>

#define BUF_SIZE 16384
Expand Down Expand Up @@ -467,8 +469,10 @@ write_certificate(X509 *cert, const char serial[], const char dir[]) {
}

static EVP_PKEY *e_cakey=NULL;
#ifndef OPENSSL_NO_ENGINE
static ENGINE *engine=NULL;
static int engine_used=0;
#endif

static int
generate_certificate( X509_REQ *request,
Expand Down Expand Up @@ -701,6 +705,7 @@ generate_certificate( X509_REQ *request,

/* load ca key */

#ifndef OPENSSL_NO_ENGINE
if (engine) {
if (server_context->certificate_openssl_engine_lockfile) {
lockfd = open(server_context->certificate_openssl_engine_lockfile,
Expand All @@ -725,6 +730,7 @@ generate_certificate( X509_REQ *request,
goto error;
}
}
#endif

if(e_cakey) {
cakey = e_cakey;
Expand Down Expand Up @@ -770,6 +776,7 @@ generate_certificate( X509_REQ *request,
goto error;
}
serial = i2s_ASN1_OCTET_STRING(NULL, X509_get_serialNumber(cert));
#ifndef OPENSSL_NO_ENGINE
if (engine) {
engine_used=1;
if (lockfd != -1) close(lockfd);
Expand All @@ -779,6 +786,7 @@ generate_certificate( X509_REQ *request,
goto error;
}
}
#endif

return_value = 0;

Expand Down Expand Up @@ -827,6 +835,7 @@ arraylen(char **options) {
return c;
}

#ifndef OPENSSL_NO_ENGINE
void shutdown_openssl_engine(void) {
if (e_cakey) EVP_PKEY_free( e_cakey );
if (engine) ENGINE_finish(engine);
Expand All @@ -837,6 +846,7 @@ void shutdown_openssl_engine(void) {

if (engine_used) ENGINE_cleanup();
}
#endif

static int ui_read_fn(UI *ui, UI_STRING *ui_string) {
switch(UI_get_string_type(ui_string)) {
Expand Down Expand Up @@ -868,6 +878,7 @@ static int ui_write_fn(UI *ui, UI_STRING *ui_string) {
return 1;
}

#ifndef OPENSSL_NO_ENGINE
int initialise_openssl_engine(myproxy_server_context_t *server_context) {
ENGINE *e;
EVP_PKEY *cakey;
Expand Down Expand Up @@ -982,6 +993,7 @@ int initialise_openssl_engine(myproxy_server_context_t *server_context) {
UI_destroy_method(ui_method);
return 1;
}
#endif

static int
do_check(const char *callout, const X509_REQ *req, const X509 *cert)
Expand Down
2 changes: 2 additions & 0 deletions myproxy/source/certauth_extensions.h
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
*
*/

#ifndef OPENSSL_NO_ENGINE
int initialise_openssl_engine(myproxy_server_context_t *server_context);
#endif

int is_certificate_authority_configured(myproxy_server_context_t
*server_context);
Expand Down
2 changes: 1 addition & 1 deletion myproxy/source/configure.ac
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
dnl Process this file with autoconf to produce a configure script.
AC_INIT([myproxy],[6.2.18])
AC_INIT([myproxy],[6.2.19])
AC_CONFIG_AUX_DIR([build-aux])
AM_INIT_AUTOMAKE([foreign])
LT_INIT([dlopen win32-dll])
Expand Down
7 changes: 7 additions & 0 deletions myproxy/source/myproxy_server.c
Original file line number Diff line number Diff line change
Expand Up @@ -287,10 +287,17 @@ main(int argc, char *argv[])
}

if(server_context->certificate_openssl_engine_id) {
#ifndef OPENSSL_NO_ENGINE
if(!initialise_openssl_engine(server_context)) {
myproxy_log_verror();
my_failure("Could not initialise OpenSSL engine.");
}
#else
myproxy_log("Openssl has no engine support.");
myproxy_log("Can not use certificate_openssl_engine_id option.");
myproxy_log("Exiting.");
exit(1);
#endif
}

if (!server_context->run_as_daemon) {
Expand Down
6 changes: 6 additions & 0 deletions packaging/debian/myproxy/debian/changelog.in
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
myproxy (6.2.19-1+gct.@distro@) @distro@; urgency=medium

* Make OpenSSL engine optional

-- Mattias Ellert <[email protected]> Sat, 02 Nov 2024 08:58:37 +0100

myproxy (6.2.18-1+gct.@distro@) @distro@; urgency=medium

* Change private key cipher to EVP_aes_256_cbc
Expand Down
5 changes: 4 additions & 1 deletion packaging/fedora/myproxy.spec
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Name: myproxy
%global soname 6
Version: 6.2.18
Version: 6.2.19
Release: 1%{?dist}
Summary: Manage X.509 Public Key Infrastructure (PKI) security credentials

Expand Down Expand Up @@ -391,6 +391,9 @@ fi
%doc %{_pkgdocdir}/LICENSE*

%changelog
* Sat Nov 02 2024 Mattias Ellert <[email protected]> - 6.2.19-1
- Make OpenSSL engine optional

* Tue Jul 23 2024 Mattias Ellert <[email protected]> - 6.2.18-1
- Change private key cipher to EVP_aes_256_cbc

Expand Down

0 comments on commit b471994

Please sign in to comment.