Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make OpenSSL engine optional #234

Merged
merged 1 commit into from
Nov 3, 2024
Merged

Make OpenSSL engine optional #234

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions myproxy/source/certauth_extensions.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
*/

#include "myproxy_common.h"
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
#include <openssl/ui.h>

#define BUF_SIZE 16384
Expand Down Expand Up @@ -467,8 +469,10 @@ write_certificate(X509 *cert, const char serial[], const char dir[]) {
}

static EVP_PKEY *e_cakey=NULL;
#ifndef OPENSSL_NO_ENGINE
static ENGINE *engine=NULL;
static int engine_used=0;
#endif

static int
generate_certificate( X509_REQ *request,
Expand Down Expand Up @@ -701,6 +705,7 @@ generate_certificate( X509_REQ *request,

/* load ca key */

#ifndef OPENSSL_NO_ENGINE
if (engine) {
if (server_context->certificate_openssl_engine_lockfile) {
lockfd = open(server_context->certificate_openssl_engine_lockfile,
Expand All @@ -725,6 +730,7 @@ generate_certificate( X509_REQ *request,
goto error;
}
}
#endif

if(e_cakey) {
cakey = e_cakey;
Expand Down Expand Up @@ -770,6 +776,7 @@ generate_certificate( X509_REQ *request,
goto error;
}
serial = i2s_ASN1_OCTET_STRING(NULL, X509_get_serialNumber(cert));
#ifndef OPENSSL_NO_ENGINE
if (engine) {
engine_used=1;
if (lockfd != -1) close(lockfd);
Expand All @@ -779,6 +786,7 @@ generate_certificate( X509_REQ *request,
goto error;
}
}
#endif

return_value = 0;

Expand Down Expand Up @@ -827,6 +835,7 @@ arraylen(char **options) {
return c;
}

#ifndef OPENSSL_NO_ENGINE
void shutdown_openssl_engine(void) {
if (e_cakey) EVP_PKEY_free( e_cakey );
if (engine) ENGINE_finish(engine);
Expand All @@ -837,6 +846,7 @@ void shutdown_openssl_engine(void) {

if (engine_used) ENGINE_cleanup();
}
#endif

static int ui_read_fn(UI *ui, UI_STRING *ui_string) {
switch(UI_get_string_type(ui_string)) {
Expand Down Expand Up @@ -868,6 +878,7 @@ static int ui_write_fn(UI *ui, UI_STRING *ui_string) {
return 1;
}

#ifndef OPENSSL_NO_ENGINE
int initialise_openssl_engine(myproxy_server_context_t *server_context) {
ENGINE *e;
EVP_PKEY *cakey;
Expand Down Expand Up @@ -982,6 +993,7 @@ int initialise_openssl_engine(myproxy_server_context_t *server_context) {
UI_destroy_method(ui_method);
return 1;
}
#endif

static int
do_check(const char *callout, const X509_REQ *req, const X509 *cert)
Expand Down
2 changes: 2 additions & 0 deletions myproxy/source/certauth_extensions.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
*
*/

#ifndef OPENSSL_NO_ENGINE
int initialise_openssl_engine(myproxy_server_context_t *server_context);
#endif

int is_certificate_authority_configured(myproxy_server_context_t
*server_context);
Expand Down
2 changes: 1 addition & 1 deletion myproxy/source/configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
dnl Process this file with autoconf to produce a configure script.
AC_INIT([myproxy],[6.2.18])
AC_INIT([myproxy],[6.2.19])
AC_CONFIG_AUX_DIR([build-aux])
AM_INIT_AUTOMAKE([foreign])
LT_INIT([dlopen win32-dll])
Expand Down
7 changes: 7 additions & 0 deletions myproxy/source/myproxy_server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,10 +287,17 @@ main(int argc, char *argv[])
}

if(server_context->certificate_openssl_engine_id) {
#ifndef OPENSSL_NO_ENGINE
if(!initialise_openssl_engine(server_context)) {
myproxy_log_verror();
my_failure("Could not initialise OpenSSL engine.");
}
#else
myproxy_log("Openssl has no engine support.");
myproxy_log("Can not use certificate_openssl_engine_id option.");
myproxy_log("Exiting.");
exit(1);
#endif
}

if (!server_context->run_as_daemon) {
Expand Down
6 changes: 6 additions & 0 deletions packaging/debian/myproxy/debian/changelog.in
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
myproxy (6.2.19-1+gct.@distro@) @distro@; urgency=medium

* Make OpenSSL engine optional

-- Mattias Ellert <[email protected]> Sat, 02 Nov 2024 08:58:37 +0100

myproxy (6.2.18-1+gct.@distro@) @distro@; urgency=medium

* Change private key cipher to EVP_aes_256_cbc
Expand Down
5 changes: 4 additions & 1 deletion packaging/fedora/myproxy.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Name: myproxy
%global soname 6
Version: 6.2.18
Version: 6.2.19
Release: 1%{?dist}
Summary: Manage X.509 Public Key Infrastructure (PKI) security credentials

Expand Down Expand Up @@ -391,6 +391,9 @@ fi
%doc %{_pkgdocdir}/LICENSE*

%changelog
* Sat Nov 02 2024 Mattias Ellert <[email protected]> - 6.2.19-1
- Make OpenSSL engine optional

* Tue Jul 23 2024 Mattias Ellert <[email protected]> - 6.2.18-1
- Change private key cipher to EVP_aes_256_cbc

Expand Down
Loading