From: Piotr Nakraszewicz <piotr.nakraszewicz@consult.red>
Date: Wed, 2 Jul 2025 12:29:43 +0000 (+0200)
Subject: openssl: fix pkcs11 provider available check
X-Git-Tag: curl-8_15_0~108
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e022da0e8301b0bcc905cd2ca09879ca860e0332;p=thirdparty%2Fcurl.git

openssl: fix pkcs11 provider available check

Commit f2ce6c46 among other things added the use of own library context
instead of the default context. Default context has access to OpenSSL
configuration file, own context doesn't have it.
Therefore if a pkcs11 provider is loaded via config file, the function
OSSL_PROVIDER_available() incorrectly detects the provider as
unavailable.

Fix this by loading the OpenSSL config to the library context according
to OpenSSL documentation:
"OSSL_LIB_CTX_load_config() loads a configuration file using the given
ctx. This can be used to associate a library context with providers that
are loaded from a configuration."

Moreover use the provider_loaded flag instead of provider pointer to
determine if a provider is available, as the latter is not set when the
provider is loaded from a configuration.

Closes #17804
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index f1fb97e6cf..3b23149c73 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1384,7 +1384,7 @@ int cert_stuff(struct Curl_easy *data,
     {
       /* Implicitly use pkcs11 provider if none was provided and the
        * cert_file is a PKCS#11 URI */
-      if(!data->state.provider) {
+      if(!data->state.provider_loaded) {
         if(is_pkcs11_uri(cert_file)) {
           if(ossl_set_provider(data, "pkcs11") != CURLE_OK) {
             return 0;
@@ -1392,7 +1392,7 @@ int cert_stuff(struct Curl_easy *data,
         }
       }
 
-      if(data->state.provider) {
+      if(data->state.provider_loaded) {
         /* Load the certificate from the provider */
         OSSL_STORE_INFO *info = NULL;
         X509 *cert = NULL;
@@ -1637,7 +1637,7 @@ fail:
     {
       /* Implicitly use pkcs11 provider if none was provided and the
        * key_file is a PKCS#11 URI */
-      if(!data->state.provider) {
+      if(!data->state.provider_loaded) {
         if(is_pkcs11_uri(key_file)) {
           if(ossl_set_provider(data, "pkcs11") != CURLE_OK) {
             return 0;
@@ -1645,7 +1645,7 @@ fail:
         }
       }
 
-      if(data->state.provider) {
+      if(data->state.provider_loaded) {
         /* Load the private key from the provider */
         EVP_PKEY *priv_key = NULL;
         OSSL_STORE_CTX *store = NULL;
@@ -2031,6 +2031,14 @@ static CURLcode ossl_set_provider(struct Curl_easy *data, const char *iname)
     data->state.libctx = libctx;
   }
 
+#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
+  /* load the configuration file into the library context before checking the
+   * provider availability */
+  if(!OSSL_LIB_CTX_load_config(data->state.libctx, NULL)) {
+    infof(data, "Failed to load default openssl config. Proceeding.");
+  }
+#endif
+
   if(OSSL_PROVIDER_available(data->state.libctx, name)) {
     /* already loaded through the configuration - no action needed */
     data->state.provider_loaded = TRUE;