diff --git a/m4/acx_crypto_backend.m4 b/m4/acx_crypto_backend.m4 index 0af54617..fe59ca97 100644 --- a/m4/acx_crypto_backend.m4 +++ b/m4/acx_crypto_backend.m4 @@ -49,6 +49,16 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ AC_MSG_RESULT(no) fi + # Option to disable usage engines + + AC_ARG_ENABLE(openssl-engines, + AS_HELP_STRING([--disable-openssl-engines], + [Disable OpenSSL engines usage] + ), + [enable_openssl_engines="${enableval}"], + [enable_openssl_engines="yes"] + ) + # Then check what crypto library we want to use AC_ARG_WITH(crypto-backend, @@ -105,6 +115,22 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ ACX_OPENSSL_EVPAESWRAP fi + AC_MSG_CHECKING(for OpenSSL engines support) + if test "x${enable_openssl_engines}" = "xyes"; then + ACX_OPENSSL_ENGINES + if test "x${have_lib_openssl_engines_support}" = "xyes"; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + AC_DEFINE_UNQUOTED([WITHOUT_OPENSSL_ENGINES], [1], + [Compile without OpenSSL engines support as it is unavailable]) + fi + else + AC_MSG_RESULT([disabled]) + AC_DEFINE([WITHOUT_OPENSSL_ENGINES], [1], + [Compile without OpenSSL engines support as it is disabled]) + fi + AC_DEFINE_UNQUOTED( [WITH_RAW_PSS], [1], diff --git a/m4/acx_openssl_engines.m4 b/m4/acx_openssl_engines.m4 new file mode 100644 index 00000000..62bc5848 --- /dev/null +++ b/m4/acx_openssl_engines.m4 @@ -0,0 +1,35 @@ +AC_DEFUN([ACX_OPENSSL_ENGINES], [ + + tmp_CPPFLAGS=$CPPFLAGS + tmp_LIBS=$LIBS + + CPPFLAGS="$CPPFLAGS $CRYPTO_INCLUDES" + LIBS="$CRYPTO_LIBS $LIBS" + + AC_LANG_PUSH([C]) + AC_CACHE_VAL([acx_cv_lib_openssl_engines_support], [ + acx_cv_lib_openssl_engines_support=no + AC_COMPILE_IFELSE([ + AC_LANG_SOURCE([[ + #include + #ifdef OPENSSL_NO_ENGINE + #error "Engines are disabled" + #endif + int main() { + ENGINE_load_builtin_engines(); + return 0; + } + ]]) + ], [ + acx_cv_lib_openssl_engines_support=yes + ], [ + acx_cv_lib_openssl_engines_support=no + ]) + ]) + AC_LANG_POP([C]) + + CPPFLAGS=$tmp_CPPFLAGS + LIBS=$tmp_LIBS + + have_lib_openssl_engines_support="${acx_cv_lib_openssl_engines_support}" +]) diff --git a/src/lib/crypto/OSSLCryptoFactory.cpp b/src/lib/crypto/OSSLCryptoFactory.cpp index 60cd3216..db22998a 100644 --- a/src/lib/crypto/OSSLCryptoFactory.cpp +++ b/src/lib/crypto/OSSLCryptoFactory.cpp @@ -141,6 +141,7 @@ OSSLCryptoFactory::OSSLCryptoFactory() // Initialise OpenSSL OpenSSL_add_all_algorithms(); +#ifdef WITH_ENGINES #if !( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ) // Make sure RDRAND is loaded first ENGINE_load_rdrand(); @@ -161,11 +162,12 @@ OSSLCryptoFactory::OSSLCryptoFactory() WARNING_MSG("ENGINE_set_default returned %lu\n", ERR_get_error()); } } +#endif // Initialise the one-and-only RNG rng = new OSSLRNG(); -#ifdef WITH_GOST +#if defined(WITH_ENGINES) && defined(WITH_GOST) // Load engines #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ENGINE_load_builtin_engines(); @@ -228,7 +230,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory() { bool ossl_shutdown = false; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +#if defined(WITH_ENGINES) && OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) // OpenSSL 1.1.0+ will register an atexit() handler to run // OPENSSL_cleanup(). If that has already happened we must // not attempt to free any ENGINEs because they'll already @@ -243,6 +245,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory() #endif if (!ossl_shutdown) { +#ifdef WITH_ENGINES #ifdef WITH_GOST // Finish the GOST engine if (eg != NULL) @@ -257,6 +260,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory() ENGINE_finish(rdrand_engine); ENGINE_free(rdrand_engine); rdrand_engine = NULL; +#endif // Recycle locks #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) diff --git a/src/lib/crypto/OSSLCryptoFactory.h b/src/lib/crypto/OSSLCryptoFactory.h index d718b69f..bdfc031b 100644 --- a/src/lib/crypto/OSSLCryptoFactory.h +++ b/src/lib/crypto/OSSLCryptoFactory.h @@ -42,7 +42,11 @@ #include "RNG.h" #include #include +#if !defined(WITHOUT_OPENSSL_ENGINES) && !defined(OPENSSL_NO_ENGINES) +#define WITH_ENGINES 1 #include +#endif + class OSSLCryptoFactory : public CryptoFactory { @@ -103,6 +107,8 @@ class OSSLCryptoFactory : public CryptoFactory // The one-and-only RNG instance RNG* rng; + +#ifdef WITH_ENGINES // And RDRAND engine to use with it ENGINE *rdrand_engine; @@ -110,6 +116,7 @@ class OSSLCryptoFactory : public CryptoFactory // The GOST engine ENGINE *eg; #endif +#endif }; #endif // !_SOFTHSM_V2_OSSLCRYPTOFACTORY_H