From: Fred Morcos <fred.morcos@open-xchange.com>
Date: Thu, 8 May 2025 16:53:06 +0000 (+0200)
Subject: lib-ssl-iostream: Fix OpenSSL 3.0 provider/engine preference logic
X-Git-Tag: 2.4.2~788
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=192bee9c998c85cd5171422c8e95899f4bfe057f;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Fix OpenSSL 3.0 provider/engine preference logic
---

diff --git a/m4/ssl.m4 b/m4/ssl.m4
index 169d3d260d..0248795500 100644
--- a/m4/ssl.m4
+++ b/m4/ssl.m4
@@ -99,6 +99,7 @@ AC_DEFUN([DOVECOT_SSL], [
   DOVECOT_CHECK_SSL_FUNC([ERR_get_error_all])
   DOVECOT_CHECK_SSL_FUNC([EVP_MAC_CTX_new])
   DOVECOT_CHECK_SSL_FUNC([OSSL_PROVIDER_try_load])
+  DOVECOT_CHECK_SSL_FUNC([ENGINE_by_id])
   DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_tmp_dh_callback])
   DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_current_cert])
   DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set0_tmp_dh_pkey])
diff --git a/src/lib-ssl-iostream/dovecot-openssl-common.c b/src/lib-ssl-iostream/dovecot-openssl-common.c
index 0c7220d716..389234ae43 100644
--- a/src/lib-ssl-iostream/dovecot-openssl-common.c
+++ b/src/lib-ssl-iostream/dovecot-openssl-common.c
@@ -107,7 +107,14 @@ int dovecot_openssl_common_global_set_engine(const char *engine,
 	if (dovecot_openssl_engine != NULL)
 		return 1;
 
-#ifdef HAVE_ENGINE_by_id
+#ifdef HAVE_OSSL_PROVIDER_try_load
+	if ((dovecot_openssl_engine = OSSL_PROVIDER_try_load(NULL, engine, 1)) == NULL) {
+		*error_r = t_strdup_printf("Cannot load '%s': %s", engine,
+					   openssl_iostream_error());
+		return 0;
+	}
+	return 1;
+#elif defined(HAVE_ENGINE_by_id)
 	ENGINE_load_builtin_engines();
 	dovecot_openssl_engine = ENGINE_by_id(engine);
 	if (dovecot_openssl_engine == NULL) {
@@ -126,13 +133,6 @@ int dovecot_openssl_common_global_set_engine(const char *engine,
 		dovecot_openssl_engine = NULL;
 		return -1;
 	}
-#elif defined(HAVE_OSSL_PROVIDER_try_load)
-	if ((dovecot_openssl_engine = OSSL_PROVIDER_try_load(NULL, engine, 1)) == NULL) {
-		*error_r = t_strdup_printf("Cannot load '%s': %s", engine,
-					   openssl_iostream_error());
-		return 0;
-	}
-	return 1;
 #else
 	*error_r = t_strdup_printf("Cannot load '%s': No engine/provider support available", engine);
 #endif