Merge pull request #781 from bukka/openssl-disable-engines

Add configure option and code to disable OpenSSL engines
softhsm · Jan 29, 2025 · 7081d3b · 7081d3b
2 parents 0053e2b + a393bf8
commit 7081d3b
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 2 deletions.
diff --git a/m4/acx_crypto_backend.m4 b/m4/acx_crypto_backend.m4
@@ -49,6 +49,16 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 		AC_MSG_RESULT(no)
 	fi
 
+	# Option to disable usage engines
+
+	AC_ARG_ENABLE(openssl-engines,
+		AS_HELP_STRING([--disable-openssl-engines],
+			[Disable OpenSSL engines usage]
+		),
+		[enable_openssl_engines="${enableval}"],
+		[enable_openssl_engines="yes"]
+	)
+
 	# Then check what crypto library we want to use
 
 	AC_ARG_WITH(crypto-backend,
@@ -105,6 +115,22 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 			ACX_OPENSSL_EVPAESWRAP
 		fi
 
+		AC_MSG_CHECKING(for OpenSSL engines support)
+		if test "x${enable_openssl_engines}" = "xyes"; then
+			ACX_OPENSSL_ENGINES
+			if test "x${have_lib_openssl_engines_support}" = "xyes"; then
+				AC_MSG_RESULT([yes])
+			else
+				AC_MSG_RESULT([no])
+				AC_DEFINE_UNQUOTED([WITHOUT_OPENSSL_ENGINES], [1],
+					[Compile without OpenSSL engines support as it is unavailable])
+			fi
+		else
+			AC_MSG_RESULT([disabled])
+			AC_DEFINE([WITHOUT_OPENSSL_ENGINES], [1],
+				[Compile without OpenSSL engines support as it is disabled])
+		fi
+
 		AC_DEFINE_UNQUOTED(
 			[WITH_RAW_PSS],
 			[1],

diff --git a/m4/acx_openssl_engines.m4 b/m4/acx_openssl_engines.m4
@@ -0,0 +1,35 @@
+AC_DEFUN([ACX_OPENSSL_ENGINES], [
+
+    tmp_CPPFLAGS=$CPPFLAGS
+    tmp_LIBS=$LIBS
+
+    CPPFLAGS="$CPPFLAGS $CRYPTO_INCLUDES"
+    LIBS="$CRYPTO_LIBS $LIBS"
+
+    AC_LANG_PUSH([C])
+    AC_CACHE_VAL([acx_cv_lib_openssl_engines_support], [
+        acx_cv_lib_openssl_engines_support=no
+        AC_COMPILE_IFELSE([
+            AC_LANG_SOURCE([[
+                #include <openssl/engine.h>
+                #ifdef OPENSSL_NO_ENGINE
+                #error "Engines are disabled"
+                #endif
+                int main() {
+                    ENGINE_load_builtin_engines();
+                    return 0;
+                }
+            ]])
+        ], [
+            acx_cv_lib_openssl_engines_support=yes
+        ], [
+            acx_cv_lib_openssl_engines_support=no
+        ])
+    ])
+    AC_LANG_POP([C])
+
+    CPPFLAGS=$tmp_CPPFLAGS
+    LIBS=$tmp_LIBS
+
+    have_lib_openssl_engines_support="${acx_cv_lib_openssl_engines_support}"
+])
diff --git a/src/lib/crypto/OSSLCryptoFactory.cpp b/src/lib/crypto/OSSLCryptoFactory.cpp
@@ -141,6 +141,7 @@ OSSLCryptoFactory::OSSLCryptoFactory()
 	// Initialise OpenSSL
 	OpenSSL_add_all_algorithms();
 
+#ifdef WITH_ENGINES
 #if !( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
 	// Make sure RDRAND is loaded first
 	ENGINE_load_rdrand();
@@ -161,11 +162,12 @@ OSSLCryptoFactory::OSSLCryptoFactory()
 			WARNING_MSG("ENGINE_set_default returned %lu\n", ERR_get_error());
 		}
 	}
+#endif
 
 	// Initialise the one-and-only RNG
 	rng = new OSSLRNG();
 
-#ifdef WITH_GOST
+#if defined(WITH_ENGINES) && defined(WITH_GOST)
 	// Load engines
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	ENGINE_load_builtin_engines();
@@ -228,7 +230,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory()
 {
 	bool ossl_shutdown = false;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if defined(WITH_ENGINES) && OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 	// OpenSSL 1.1.0+ will register an atexit() handler to run
 	// OPENSSL_cleanup(). If that has already happened we must
 	// not attempt to free any ENGINEs because they'll already
@@ -243,6 +245,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory()
 #endif
 	if (!ossl_shutdown)
 	{
+#ifdef WITH_ENGINES
 #ifdef WITH_GOST
 		// Finish the GOST engine
 		if (eg != NULL)
@@ -257,6 +260,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory()
 		ENGINE_finish(rdrand_engine);
 		ENGINE_free(rdrand_engine);
 		rdrand_engine = NULL;
+#endif
 
 		// Recycle locks
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

diff --git a/src/lib/crypto/OSSLCryptoFactory.h b/src/lib/crypto/OSSLCryptoFactory.h
@@ -42,7 +42,11 @@
 #include "RNG.h"
 #include <memory>
 #include <openssl/conf.h>
+#if !defined(WITHOUT_OPENSSL_ENGINES) && !defined(OPENSSL_NO_ENGINES)
+#define WITH_ENGINES 1
 #include <openssl/engine.h>
+#endif
+
 
 class OSSLCryptoFactory : public CryptoFactory
 {
@@ -103,13 +107,16 @@ class OSSLCryptoFactory : public CryptoFactory
 
 	// The one-and-only RNG instance
 	RNG* rng;
+
+#ifdef WITH_ENGINES
 	// And RDRAND engine to use with it
 	ENGINE *rdrand_engine;
 
 #ifdef WITH_GOST
 	// The GOST engine
 	ENGINE *eg;
 #endif
+#endif
 };
 
 #endif // !_SOFTHSM_V2_OSSLCRYPTOFACTORY_H