From c3d7fb7e2724150950e1a1eac29460ea255811c3 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Wed, 8 Jun 2016 21:03:40 +0100 Subject: [PATCH] OpenSSL: Initialise PKCS#11 engine even if found with ENGINE_by_id() Recent versions of engine_pkcs11 are set up to be autoloaded on demand with ENGINE_by_id() because they don't need explicit configuration. But if we *do* want to explicitly configure them with a PKCS#11 module path, we should still do so. We can't tell whether it was already initialised, but it's harmless to repeat the MODULE_PATH command if it was. Signed-off-by: David Woodhouse Tested-by: Michael Schaller --- src/crypto/tls_openssl.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index c831fbaf2..23ac64b48 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -729,10 +729,16 @@ static int tls_engine_load_dynamic_generic(const char *pre[], engine = ENGINE_by_id(id); if (engine) { - ENGINE_free(engine); wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already " "available", id); - return 0; + /* + * If it was auto-loaded by ENGINE_by_id() we might still + * need to tell it which PKCS#11 module to use in legacy + * (non-p11-kit) environments. Do so now; even if it was + * properly initialised before, setting it again will be + * harmless. + */ + goto found; } ERR_clear_error(); @@ -769,7 +775,7 @@ static int tls_engine_load_dynamic_generic(const char *pre[], id, ERR_error_string(ERR_get_error(), NULL)); return -1; } - + found: while (post && post[0]) { wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", post[0], post[1]); if (ENGINE_ctrl_cmd_string(engine, post[0], post[1], 0) == 0) {