From aa01b82c69eeb0cfd255174111fc34a7ed5f8429 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 29 Sep 2016 00:40:20 +0200 Subject: [PATCH] If an engine comes up explicitely, it must also come down explicitely In apps/apps.c, one can set up an engine with setup_engine(). However, we freed the structural reference immediately, which means that for engines that don't already have a structural reference somewhere else (because it has registered at least one cipher or digest algorithm method, and therefore gets a functional reference through the ENGINE_set_default() call), we end up returning an invalid reference. Instead, the function release_engine() is added, and called at the end of the routines that call setup_engine(). Originally, the ENGINE API wasn't designed for this to happen, an engine had to register at least one algorithm method, and was especially expected to register the algorithms corresponding to the key types that could be stored and hidden in hardware. However, it turns out that some engines will not register those algorithms with the ENGINE_set_{algo}, ENGINE_set_cipher or ENGINE_set_digest functions, as they only want the methods to be used for keys, not as general crypto accelerator methods. That may cause ENGINE_set_default() to do nothing, and no functional reference is therefore made, leading to a premature deallocation of the engine and it thereby becoming unavailable when trying to fetch a key. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/1644) --- apps/apps.c | 8 ++++++-- apps/apps.h | 1 + apps/ca.c | 4 ++++ apps/cms.c | 4 ++++ apps/dgst.c | 4 ++++ apps/dhparam.c | 7 ++++++- apps/dsa.c | 4 ++++ apps/dsaparam.c | 7 ++++++- apps/ec.c | 9 ++++++++- apps/ecparam.c | 13 ++++++++++--- apps/enc.c | 7 ++++++- apps/gendsa.c | 7 ++++++- apps/genpkey.c | 5 ++++- apps/genrsa.c | 4 ++++ apps/pkcs12.c | 4 ++++ apps/pkcs7.c | 7 ++++++- apps/pkcs8.c | 4 ++++ apps/pkey.c | 4 ++++ apps/pkeyparam.c | 7 ++++++- apps/pkeyutl.c | 4 ++++ apps/rand.c | 7 ++++++- apps/req.c | 4 ++++ apps/rsa.c | 4 ++++ apps/rsautl.c | 4 ++++ apps/s_client.c | 4 ++++ apps/s_server.c | 4 ++++ apps/smime.c | 4 ++++ apps/speed.c | 9 ++++++++- apps/spkac.c | 4 ++++ apps/srp.c | 7 ++++++- apps/verify.c | 4 ++++ apps/x509.c | 4 ++++ 32 files changed, 157 insertions(+), 16 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index ff17b35820d..c9f02163b02 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1564,11 +1564,15 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug) } BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e)); + } + return e; +} +void release_engine(ENGINE *e) +{ + if (e != NULL) /* Free our "structural" reference. */ ENGINE_free(e); - } - return e; } #endif diff --git a/apps/apps.h b/apps/apps.h index c6c3881f31e..47af0fa1758 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -261,6 +261,7 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); # ifndef OPENSSL_NO_ENGINE ENGINE *setup_engine(BIO *err, const char *engine, int debug); +void release_engine(ENGINE *e); # endif # ifndef OPENSSL_NO_OCSP diff --git a/apps/ca.c b/apps/ca.c index a0ec5838fa7..673c6414243 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1485,6 +1485,10 @@ int MAIN(int argc, char **argv) X509_CRL_free(crl); NCONF_free(conf); NCONF_free(extconf); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/apps/cms.c b/apps/cms.c index 60479374cdf..f62175bc94e 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -1170,6 +1170,10 @@ int MAIN(int argc, char **argv) EVP_PKEY_free(key); CMS_ContentInfo_free(cms); CMS_ContentInfo_free(rcms); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free(rctin); BIO_free(in); BIO_free(indata); diff --git a/apps/dgst.c b/apps/dgst.c index 26afcd7b30b..3eda7d743b0 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -537,6 +537,10 @@ int MAIN(int argc, char **argv) OPENSSL_free(sigbuf); if (bmd != NULL) BIO_free(bmd); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif apps_shutdown(); OPENSSL_EXIT(err); } diff --git a/apps/dhparam.c b/apps/dhparam.c index 57199a8d2ad..0ab16e8d2ff 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -161,6 +161,7 @@ int MAIN(int argc, char **argv) char *inrand = NULL; # ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; # endif int num = 0, g = 0; @@ -271,7 +272,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (g && !num) @@ -512,6 +513,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dh != NULL) DH_free(dh); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif apps_shutdown(); OPENSSL_EXIT(ret); } diff --git a/apps/dsa.c b/apps/dsa.c index dedf8e174a0..6978927e42c 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -358,6 +358,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (passin) OPENSSL_free(passin); if (passout) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 824a595c379..a3a0a6ae53f 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -123,6 +123,7 @@ int MAIN(int argc, char **argv) int need_rand = 0; # ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; # endif # ifdef GENCB_TEST int timebomb = 0; @@ -264,7 +265,7 @@ int MAIN(int argc, char **argv) } # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (need_rand) { @@ -433,6 +434,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif apps_shutdown(); OPENSSL_EXIT(ret); } diff --git a/apps/ec.c b/apps/ec.c index b04dadaf18c..93fb98911c9 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -95,6 +95,9 @@ int MAIN(int argc, char **argv) int informat, outformat, text = 0, noout = 0; int pubin = 0, pubout = 0, param_out = 0; char *infile, *outfile, *prog, *engine; +# ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; +# endif char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; @@ -236,7 +239,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { @@ -349,6 +352,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (eckey) EC_KEY_free(eckey); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (passin) OPENSSL_free(passin); if (passout) diff --git a/apps/ecparam.c b/apps/ecparam.c index 71b67f435cf..4d57ca44461 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -131,6 +131,9 @@ int MAIN(int argc, char **argv) BIO *in = NULL, *out = NULL; int informat, outformat, noout = 0, C = 0, ret = 1; char *engine = NULL; +# ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; +# endif BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL, *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL; @@ -312,7 +315,7 @@ int MAIN(int argc, char **argv) } # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (list_curves) { @@ -620,12 +623,16 @@ int MAIN(int argc, char **argv) BN_free(ec_cofactor); if (buffer) OPENSSL_free(buffer); + if (group != NULL) + EC_GROUP_free(group); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); - if (group != NULL) - EC_GROUP_free(group); apps_shutdown(); OPENSSL_EXIT(ret); } diff --git a/apps/enc.c b/apps/enc.c index 8e2ef27aca3..513f5641b81 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -128,6 +128,7 @@ int MAIN(int argc, char **argv) char pname[PROG_NAME_SIZE + 1]; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; #endif const EVP_MD *dgst = NULL; int non_fips_allow = 0; @@ -323,7 +324,7 @@ int MAIN(int argc, char **argv) } #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { @@ -673,6 +674,10 @@ int MAIN(int argc, char **argv) #ifdef ZLIB if (bzl != NULL) BIO_free(bzl); +#endif +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); #endif if (pass) OPENSSL_free(pass); diff --git a/apps/gendsa.c b/apps/gendsa.c index fd1360acd57..c9cc9c40d29 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -87,6 +87,7 @@ int MAIN(int argc, char **argv) const EVP_CIPHER *enc = NULL; # ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; # endif apps_startup(); @@ -207,7 +208,7 @@ int MAIN(int argc, char **argv) goto end; } # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) { @@ -273,6 +274,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (passout) OPENSSL_free(passout); apps_shutdown(); diff --git a/apps/genpkey.c b/apps/genpkey.c index fef21dc7ae9..16715cf387f 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -275,9 +275,12 @@ int MAIN(int argc, char **argv) if (out) BIO_free_all(out); BIO_free(in); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (pass) OPENSSL_free(pass); - return ret; } diff --git a/apps/genrsa.c b/apps/genrsa.c index 91e6550a576..cd4490c25e5 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -314,6 +314,10 @@ int MAIN(int argc, char **argv) RSA_free(rsa); if (out) BIO_free_all(out); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (passout) OPENSSL_free(passout); if (ret != 0) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 4e7de438a77..e38d8b947e4 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -755,6 +755,10 @@ int MAIN(int argc, char **argv) app_RAND_write_file(NULL, bio_err); # ifdef CRYPTO_MDEBUG CRYPTO_remove_all_info(); +# endif +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); # endif BIO_free(in); BIO_free_all(out); diff --git a/apps/pkcs7.c b/apps/pkcs7.c index b6776331839..a189290a129 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -92,6 +92,7 @@ int MAIN(int argc, char **argv) int ret = 1; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; #endif apps_startup(); @@ -176,7 +177,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif in = BIO_new(BIO_s_file()); @@ -303,6 +304,10 @@ int MAIN(int argc, char **argv) end: if (p7 != NULL) PKCS7_free(p7); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (in != NULL) BIO_free(in); if (out != NULL) diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 5099e18417e..1f1de0053d3 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -391,6 +391,10 @@ int MAIN(int argc, char **argv) X509_SIG_free(p8); PKCS8_PRIV_KEY_INFO_free(p8inf); EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free_all(out); BIO_free(in); if (passin) diff --git a/apps/pkey.c b/apps/pkey.c index e848049c3a1..94853af4c3a 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -240,6 +240,10 @@ int MAIN(int argc, char **argv) end: EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free_all(out); BIO_free(in); if (passin) diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c index a148a6621ad..6b150650044 100644 --- a/apps/pkeyparam.c +++ b/apps/pkeyparam.c @@ -76,6 +76,7 @@ int MAIN(int argc, char **argv) int badarg = 0; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; #endif int ret = 1; @@ -135,7 +136,7 @@ int MAIN(int argc, char **argv) return 1; } #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif if (infile) { @@ -178,6 +179,10 @@ int MAIN(int argc, char **argv) end: EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free_all(out); BIO_free(in); diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index e47206c40a1..665d72402e4 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -357,6 +357,10 @@ int MAIN(int argc, char **argv) end: if (ctx) EVP_PKEY_CTX_free(ctx); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free(in); BIO_free_all(out); if (buf_in != NULL) diff --git a/apps/rand.c b/apps/rand.c index e159da37be1..c112531fb99 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -87,6 +87,7 @@ int MAIN(int argc, char **argv) BIO *out = NULL; int num = -1; #ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; char *engine = NULL; #endif @@ -163,7 +164,7 @@ int MAIN(int argc, char **argv) goto err; } #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif app_RAND_load_file(NULL, bio_err, (inrand != NULL)); @@ -222,6 +223,10 @@ int MAIN(int argc, char **argv) err: ERR_print_errors(bio_err); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (out) BIO_free_all(out); apps_shutdown(); diff --git a/apps/req.c b/apps/req.c index d1411c91bbb..4b57443ca35 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1040,6 +1040,10 @@ int MAIN(int argc, char **argv) X509_REQ_free(req); X509_free(x509ss); ASN1_INTEGER_free(serial); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (passargin && passin) OPENSSL_free(passin); if (passargout && passout) diff --git a/apps/rsa.c b/apps/rsa.c index e13c14fbc83..bd1ec9ea66b 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -419,6 +419,10 @@ int MAIN(int argc, char **argv) } else ret = 0; end: +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (out != NULL) BIO_free_all(out); if (rsa != NULL) diff --git a/apps/rsautl.c b/apps/rsautl.c index 5b6f849ea74..1d5557ad9b6 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -327,6 +327,10 @@ int MAIN(int argc, char **argv) BIO_write(out, rsa_out, rsa_outlen); end: RSA_free(rsa); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif BIO_free(in); BIO_free_all(out); if (rsa_in) diff --git a/apps/s_client.c b/apps/s_client.c index 41a326fbb85..876689b42ac 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -2123,6 +2123,10 @@ int MAIN(int argc, char **argv) OPENSSL_cleanse(mbuf, BUFSIZZ); OPENSSL_free(mbuf); } +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (bio_c_out != NULL) { BIO_free(bio_c_out); bio_c_out = NULL; diff --git a/apps/s_server.c b/apps/s_server.c index 857a70e3e4c..9adbea03c8b 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2128,6 +2128,10 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_JPAKE if (jpake_secret && psk_key) OPENSSL_free(psk_key); +#endif +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); #endif if (bio_s_out != NULL) { BIO_free(bio_s_out); diff --git a/apps/smime.c b/apps/smime.c index 6044ccf5f59..f1f57aae494 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -736,6 +736,10 @@ int MAIN(int argc, char **argv) X509_free(signer); EVP_PKEY_free(key); PKCS7_free(p7); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free(in); BIO_free(indata); BIO_free_all(out); diff --git a/apps/speed.c b/apps/speed.c index b862868eacc..0c3d63f736a 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -372,6 +372,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +# ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; +#endif unsigned char *buf = NULL, *buf2 = NULL; int mret = 1; long count = 0, save_count = 0; @@ -749,7 +752,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "no engine given\n"); goto end; } - setup_engine(bio_err, *argv, 0); + e = setup_engine(bio_err, *argv, 0); /* * j will be increased again further down. We just don't want * speed to confuse an engine with an algorithm, especially when @@ -2526,6 +2529,10 @@ int MAIN(int argc, char **argv) } # endif +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif apps_shutdown(); OPENSSL_EXIT(mret); } diff --git a/apps/spkac.c b/apps/spkac.c index 8b06ec4d6e7..c3792f91c48 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -305,6 +305,10 @@ int MAIN(int argc, char **argv) BIO_free(in); BIO_free_all(out); EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (passin) OPENSSL_free(passin); apps_shutdown(); diff --git a/apps/srp.c b/apps/srp.c index c75052f38dd..f10df5f2246 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -294,6 +294,7 @@ int MAIN(int argc, char **argv) long errorline = -1; char *randfile = NULL; # ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; char *engine = NULL; # endif char *tofree = NULL; @@ -412,7 +413,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { @@ -760,6 +761,10 @@ int MAIN(int argc, char **argv) if (db) free_index(db); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/apps/verify.c b/apps/verify.c index b5ae6b370e1..266d07896e1 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -255,6 +255,10 @@ int MAIN(int argc, char **argv) sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); sk_X509_CRL_pop_free(crls, X509_CRL_free); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif apps_shutdown(); OPENSSL_EXIT(ret < 0 ? 2 : ret); } diff --git a/apps/x509.c b/apps/x509.c index 17cb62da726..8bf0a7aba04 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1040,6 +1040,10 @@ int MAIN(int argc, char **argv) ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (passin) OPENSSL_free(passin); apps_shutdown(); -- 2.47.2