lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-09-07 02:46:38 +03:00
Code Activity

Cleanup the loaded pkcs11 provider

Browse Source 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 62762bbbc9)
This commit is contained in:
Jakub Jelen
2025-06-02 17:44:43 +02:00
parent abfc42fad3
commit 962012bbf6
4 changed files with 56 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
include/libssh/crypto.h
View File

@@ -223,9 +223,6 @@ int sshkdf_derive_key(struct ssh_crypto_struct *crypto,
size_t requested_len); size_t requested_len);
int secure_memcmp(const void *s1, const void *s2, size_t n); int secure_memcmp(const void *s1, const void *s2, size_t n);
#if defined(HAVE_LIBCRYPTO) && !defined(WITH_PKCS11_PROVIDER)
ENGINE *pki_get_engine(void);
#endif /* HAVE_LIBCRYPTO */
void compress_cleanup(struct ssh_crypto_struct *crypto); void compress_cleanup(struct ssh_crypto_struct *crypto);

9
include/libssh/libcrypto.h
View File

@@ -121,6 +121,15 @@ typedef BN_CTX* bignum_CTX;
ssh_string pki_key_make_ecpoint_string(const EC_GROUP *g, const EC_POINT *p); ssh_string pki_key_make_ecpoint_string(const EC_GROUP *g, const EC_POINT *p);
int pki_key_ecgroup_name_to_nid(const char *group); int pki_key_ecgroup_name_to_nid(const char *group);
#if defined(WITH_PKCS11_URI)
#if defined(WITH_PKCS11_PROVIDER)
int pki_load_pkcs11_provider(void);
#else
ENGINE *pki_get_engine(void);
#endif
#endif /* WITH_PKCS11_PROVIDER */
#endif /* HAVE_LIBCRYPTO */ #endif /* HAVE_LIBCRYPTO */
#endif /* LIBCRYPTO_H_ */ #endif /* LIBCRYPTO_H_ */

46
src/libcrypto.c
View File

@@ -49,8 +49,9 @@
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/hmac.h> #include <openssl/hmac.h>
#else #else
#include <openssl/param_build.h>
#include <openssl/core_names.h> #include <openssl/core_names.h>
#include <openssl/param_build.h>
#include <openssl/provider.h>
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
#include <openssl/rand.h> #include <openssl/rand.h>
#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER) #if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER)
@@ -96,7 +97,37 @@ void ssh_reseed(void){
#endif #endif
} }
#if defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER) #if defined(WITH_PKCS11_URI)
#if defined(WITH_PKCS11_PROVIDER)
static OSSL_PROVIDER *provider = NULL;
static bool pkcs11_provider_failed = false;
int pki_load_pkcs11_provider(void)
{
if (OSSL_PROVIDER_available(NULL, "pkcs11") == 1) {
/* the provider is already available.
* Loaded through a configuration file? */
return SSH_OK;
}
if (pkcs11_provider_failed) {
/* the loading failed previously -- do not retry */
return SSH_ERROR;
}
provider = OSSL_PROVIDER_try_load(NULL, "pkcs11", 1);
if (provider != NULL) {
return SSH_OK;
}
SSH_LOG(SSH_LOG_TRACE,
"Failed to load the pkcs11 provider: %s",
ERR_error_string(ERR_get_error(), NULL));
/* Do not attempt to load it again */
pkcs11_provider_failed = true;
return SSH_ERROR;
}
#else
static ENGINE *engine = NULL; static ENGINE *engine = NULL;
ENGINE *pki_get_engine(void) ENGINE *pki_get_engine(void)
@@ -128,7 +159,8 @@ ENGINE *pki_get_engine(void)
} }
return engine; return engine;
} }
#endif /* defined(WITH_PKCS11_URI) && !defined(WITH_PKCS11_PROVIDER) */ #endif /* defined(WITH_PKCS11_PROVIDER) */
#endif /* defined(WITH_PKCS11_URI) */
#ifdef HAVE_OPENSSL_EVP_KDF_CTX #ifdef HAVE_OPENSSL_EVP_KDF_CTX
#if OPENSSL_VERSION_NUMBER < 0x30000000L #if OPENSSL_VERSION_NUMBER < 0x30000000L
@@ -1402,6 +1434,14 @@ void ssh_crypto_finalize(void)
engine = NULL; engine = NULL;
} }
#endif #endif
#if defined(WITH_PKCS11_URI)
#if defined(WITH_PKCS11_PROVIDER)
if (provider != NULL) {
OSSL_PROVIDER_unload(provider);
provider = NULL;
}
#endif /* WITH_PKCS11_PROVIDER */
#endif /* WITH_PKCS11_URI */
libcrypto_initialized = 0; libcrypto_initialized = 0;
} }

19
src/pki_crypto.c
View File

@@ -46,7 +46,6 @@
#include <openssl/param_build.h> #include <openssl/param_build.h>
#if defined(WITH_PKCS11_URI) && defined(WITH_PKCS11_PROVIDER) #if defined(WITH_PKCS11_URI) && defined(WITH_PKCS11_PROVIDER)
#include <openssl/store.h> #include <openssl/store.h>
#include <openssl/provider.h>
#endif #endif
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
@@ -2719,9 +2718,6 @@ error:
} }
#ifdef WITH_PKCS11_URI #ifdef WITH_PKCS11_URI
#ifdef WITH_PKCS11_PROVIDER
static bool pkcs11_provider_failed = false;
#endif
/** /**
* @internal * @internal
@@ -2787,20 +2783,11 @@ int pki_uri_import(const char *uri_name,
/* The provider can be either configured in openssl.cnf or dynamically /* The provider can be either configured in openssl.cnf or dynamically
* loaded, assuming it does not need any special configuration */ * loaded, assuming it does not need any special configuration */
if (OSSL_PROVIDER_available(NULL, "pkcs11") == 0 && rv = pki_load_pkcs11_provider();
!pkcs11_provider_failed) { if (rv != SSH_OK) {
OSSL_PROVIDER *pkcs11_provider = NULL; SSH_LOG(SSH_LOG_TRACE, "Failed to load or initialize pkcs11 provider");
pkcs11_provider = OSSL_PROVIDER_try_load(NULL, "pkcs11", 1);
if (pkcs11_provider == NULL) {
SSH_LOG(SSH_LOG_TRACE,
"Failed to initialize provider: %s",
ERR_error_string(ERR_get_error(), NULL));
/* Do not attempt to load it again */
pkcs11_provider_failed = true;
goto fail; goto fail;
} }
}
store = OSSL_STORE_open(uri_name, NULL, NULL, NULL, NULL); store = OSSL_STORE_open(uri_name, NULL, NULL, NULL, NULL);
if (store == NULL) { if (store == NULL) {