romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-15 03:51:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

openssl: fix pkcs11 provider available check

Browse source 
Commit f2ce6c46 among other things added the use of own library context
instead of the default context. Default context has access to OpenSSL
configuration file, own context doesn't have it.
Therefore if a pkcs11 provider is loaded via config file, the function
OSSL_PROVIDER_available() incorrectly detects the provider as
unavailable.

Fix this by loading the OpenSSL config to the library context according
to OpenSSL documentation:
"OSSL_LIB_CTX_load_config() loads a configuration file using the given
ctx. This can be used to associate a library context with providers that
are loaded from a configuration."

Moreover use the provider_loaded flag instead of provider pointer to
determine if a provider is available, as the latter is not set when the
provider is loaded from a configuration.

Closes #17804
This commit is contained in:
Piotr Nakraszewicz 2025-07-02 14:29:43 +02:00 committed by Daniel Stenberg
parent 42fdc65a98
commit e022da0e83
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 12 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

16
lib/vtls/openssl.c
View file

@ -1384,7 +1384,7 @@ int cert_stuff(struct Curl_easy *data,
{
/* Implicitly use pkcs11 provider if none was provided and the
* cert_file is a PKCS#11 URI */
if(!data->state.provider) {
if(!data->state.provider_loaded) {
if(is_pkcs11_uri(cert_file)) {
if(ossl_set_provider(data, "pkcs11") != CURLE_OK) {
return 0;
@ -1392,7 +1392,7 @@ int cert_stuff(struct Curl_easy *data,
}
}
if(data->state.provider) {
if(data->state.provider_loaded) {
/* Load the certificate from the provider */
OSSL_STORE_INFO *info = NULL;
X509 *cert = NULL;
@ -1637,7 +1637,7 @@ fail:
{
/* Implicitly use pkcs11 provider if none was provided and the
* key_file is a PKCS#11 URI */
if(!data->state.provider) {
if(!data->state.provider_loaded) {
if(is_pkcs11_uri(key_file)) {
if(ossl_set_provider(data, "pkcs11") != CURLE_OK) {
return 0;
@ -1645,7 +1645,7 @@ fail:
}
}
if(data->state.provider) {
if(data->state.provider_loaded) {
/* Load the private key from the provider */
EVP_PKEY *priv_key = NULL;
OSSL_STORE_CTX *store = NULL;
@ -2031,6 +2031,14 @@ static CURLcode ossl_set_provider(struct Curl_easy *data, const char *iname)
data->state.libctx = libctx;
}
#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
/* load the configuration file into the library context before checking the
* provider availability */
if(!OSSL_LIB_CTX_load_config(data->state.libctx, NULL)) {
infof(data, "Failed to load default openssl config. Proceeding.");
}
#endif
if(OSSL_PROVIDER_available(data->state.libctx, name)) {
/* already loaded through the configuration - no action needed */
data->state.provider_loaded = TRUE;