The branch openssl-3.0 has been updated via db40ffab8dbf3ae0e932bb737ff787c6c1eb3ca2 (commit) from 01d4f5cdd4125bd81878257ae357ff191bc31dd1 (commit)
- Log ----------------------------------------------------------------- commit db40ffab8dbf3ae0e932bb737ff787c6c1eb3ca2 Author: Bernd Edlinger <bernd.edlin...@hotmail.de> Date: Sun Jan 16 17:59:17 2022 +0100 Check for presence of 1.1.x openssl runtime if the newly loaded engine contains the symbol EVP_PKEY_base_id, we know it is linked to 1.1.x openssl. Abort loading this engine, as it will definitely crash. Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17112) (cherry picked from commit 14db620282bea38dc44479e562cf9bb61a716444) ----------------------------------------------------------------------- Summary of changes: crypto/engine/eng_dyn.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c index c8a54f7d44..68b9ac311d 100644 --- a/crypto/engine/eng_dyn.c +++ b/crypto/engine/eng_dyn.c @@ -451,8 +451,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) * We fail if the version checker veto'd the load *or* if it is * deferring to us (by returning its version) and we think it is too * old. + * Unfortunately the version checker does not distinguish between + * engines built for openssl 1.1.x and openssl 3.x, but loading + * an engine that is built for openssl 1.1.x will cause a fatal + * error. Detect such engines, since EVP_PKEY_base_id is exported + * as a function in openssl 1.1.x, while it is a macro in openssl 3.x, + * and therefore only the symbol EVP_PKEY_get_base_id is available + * in openssl 3.x. */ - if (vcheck_res < OSSL_DYNAMIC_OLDEST) { + if (vcheck_res < OSSL_DYNAMIC_OLDEST + || DSO_bind_func(ctx->dynamic_dso, + "EVP_PKEY_base_id") != NULL) { /* Fail */ ctx->bind_engine = NULL; ctx->v_check = NULL;