From 7a8075206b3ba93b2e30f304761d6eefaefcfd39 Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: Fri, 29 Aug 2025 13:59:35 +0200 Subject: [PATCH] ssl/: Remove ENGINEs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Norbert Pocs Reviewed-by: Matt Caswell Reviewed-by: Saša Nedvědický Reviewed-by: Neil Horman Reviewed-by: Dmitry Belyavskiy Reviewed-by: Saša Nedvědický Reviewed-by: Eugene Syromiatnikov (Merged from https://github.com/openssl/openssl/pull/29305) --- ssl/ssl_ciph.c | 19 --------- ssl/ssl_lib.c | 35 ----------------- ssl/ssl_local.h | 12 ------ ssl/statem/statem_clnt.c | 10 +---- ssl/tls_depr.c | 83 +--------------------------------------- 5 files changed, 2 insertions(+), 157 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 2c35f31065c..cd0d0e071bc 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -285,8 +285,6 @@ static const SSL_CIPHER cipher_aliases[] = { * Search for public key algorithm with given name and return its pkey_id if * it is available. Otherwise return 0 */ -# ifdef OPENSSL_NO_ENGINE - static int get_optional_pkey_id(const char *pkey_name) { const EVP_PKEY_ASN1_METHOD *ameth; @@ -298,23 +296,6 @@ static int get_optional_pkey_id(const char *pkey_name) return 0; } -# else - -static int get_optional_pkey_id(const char *pkey_name) -{ - const EVP_PKEY_ASN1_METHOD *ameth; - ENGINE *tmpeng = NULL; - int pkey_id = 0; - ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1); - if (ameth) { - if (EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, - ameth) <= 0) - pkey_id = 0; - } - tls_engine_finish(tmpeng); - return pkey_id; -} -# endif #else static int get_optional_pkey_id(const char *pkey_name) { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 54a22a1e5e4..14c29442d91 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -18,7 +18,6 @@ #include #include #include -#include #include #include #include @@ -4197,24 +4196,6 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, goto err; } #endif -#ifndef OPENSSL_NO_ENGINE -# ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO -# define eng_strx(x) #x -# define eng_str(x) eng_strx(x) - /* Use specific client engine automatically... ignore errors */ - { - ENGINE *eng; - eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); - if (!eng) { - ERR_clear_error(); - ENGINE_load_builtin_engines(); - eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); - } - if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) - ERR_clear_error(); - } -# endif -#endif #ifndef OPENSSL_NO_COMP_ALG /* @@ -4426,9 +4407,6 @@ void SSL_CTX_free(SSL_CTX *a) #ifndef OPENSSL_NO_SRP ssl_ctx_srp_ctx_free_intern(a); #endif -#ifndef OPENSSL_NO_ENGINE - tls_engine_finish(a->client_cert_engine); -#endif OPENSSL_free(a->ext.ecpointformats); OPENSSL_free(a->ext.supportedgroups); @@ -7496,14 +7474,6 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx, { const EVP_CIPHER *ciph; - ciph = tls_get_cipher_from_engine(nid); - if (ciph != NULL) - return ciph; - - /* - * If there is no engine cipher then we do an explicit fetch. This may fail - * and that could be ok - */ ERR_set_mark(); ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties); if (ciph != NULL) { @@ -7558,11 +7528,6 @@ const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx, { const EVP_MD *md; - md = tls_get_digest_from_engine(nid); - if (md != NULL) - return md; - - /* Otherwise we do an explicit fetch */ ERR_set_mark(); md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties); ERR_pop_to_mark(); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 3af36274c9c..22522bdaebf 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -975,13 +975,6 @@ struct ssl_ctx_st { /* The default read buffer length to use (0 means not set) */ size_t default_read_buf_len; -# ifndef OPENSSL_NO_ENGINE - /* - * Engine to pass requests for client certs to - */ - ENGINE *client_cert_engine; -# endif - /* ClientHello callback. Mostly for extensions, but not entirely. */ SSL_client_hello_cb_fn client_hello_cb; void *client_hello_cb_arg; @@ -3027,11 +3020,6 @@ const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx, int ssl_evp_md_up_ref(const EVP_MD *md); void ssl_evp_md_free(const EVP_MD *md); -void tls_engine_finish(ENGINE *e); -const EVP_CIPHER *tls_get_cipher_from_engine(int nid); -const EVP_MD *tls_get_digest_from_engine(int nid); -int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509, - EVP_PKEY **ppkey); int ssl_hmac_old_new(SSL_HMAC *ret); void ssl_hmac_old_free(SSL_HMAC *ctx); int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md); diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d8d6ad48ee9..3891fd5b087 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -22,7 +22,6 @@ #include #include #include -#include #include #include #include @@ -3534,7 +3533,7 @@ static int tls_construct_cke_gost18(SSL_CONNECTION *s, WPACKET *pkt) goto err; }; - /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */ + /* Reuse EVP_PKEY_CTRL_SET_IV */ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); @@ -4127,13 +4126,6 @@ int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey) int i = 0; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); -#ifndef OPENSSL_NO_ENGINE - if (sctx->client_cert_engine) { - i = tls_engine_load_ssl_client_cert(s, px509, ppkey); - if (i != 0) - return i; - } -#endif if (sctx->client_cert_cb) i = sctx->client_cert_cb(SSL_CONNECTION_GET_USER_SSL(s), px509, ppkey); return i; diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index b489ab11fa5..59aa475e274 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -7,93 +7,12 @@ * https://www.openssl.org/source/license.html */ -/* We need to use some engine and HMAC deprecated APIs */ +/* We need to use some HMAC deprecated APIs */ #define OPENSSL_SUPPRESS_DEPRECATED -#include #include "ssl_local.h" #include "internal/ssl_unwrap.h" -/* - * Engine APIs are only used to support applications that still use ENGINEs. - * Once ENGINE is removed completely, all of this code can also be removed. - */ - -#ifndef OPENSSL_NO_ENGINE -void tls_engine_finish(ENGINE *e) -{ - ENGINE_finish(e); -} -#endif - -const EVP_CIPHER *tls_get_cipher_from_engine(int nid) -{ - const EVP_CIPHER *ret = NULL; -#ifndef OPENSSL_NO_ENGINE - ENGINE *eng; - - /* - * If there is an Engine available for this cipher we use the "implicit" - * form to ensure we use that engine later. - */ - eng = ENGINE_get_cipher_engine(nid); - if (eng != NULL) { - ret = ENGINE_get_cipher(eng, nid); - ENGINE_finish(eng); - } -#endif - return ret; -} - -const EVP_MD *tls_get_digest_from_engine(int nid) -{ - const EVP_MD *ret = NULL; -#ifndef OPENSSL_NO_ENGINE - ENGINE *eng; - - /* - * If there is an Engine available for this digest we use the "implicit" - * form to ensure we use that engine later. - */ - eng = ENGINE_get_digest_engine(nid); - if (eng != NULL) { - ret = ENGINE_get_digest(eng, nid); - ENGINE_finish(eng); - } -#endif - return ret; -} - -#ifndef OPENSSL_NO_ENGINE -int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509, - EVP_PKEY **ppkey) -{ - SSL *ssl = SSL_CONNECTION_GET_SSL(s); - - return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->client_cert_engine, - ssl, - SSL_get_client_CA_list(ssl), - px509, ppkey, NULL, NULL, NULL); -} -#endif - -#ifndef OPENSSL_NO_ENGINE -int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) -{ - if (!ENGINE_init(e)) { - ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB); - return 0; - } - if (!ENGINE_get_ssl_client_cert_function(e)) { - ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD); - ENGINE_finish(e); - return 0; - } - ctx->client_cert_engine = e; - return 1; -} -#endif - /* * The HMAC APIs below are only used to support the deprecated public API * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback -- 2.47.3