Add support for PKCS#11 provider in OpenSSL 3.0

The engine API in OpenSSL 3.0 is deprecated so we are in the progress of working on a PKCS#11 provider for OpenSSL. This commit introduces a conditional build with the pkcs11-provider support (instead of engines) with all the changes required for the provider to work with existing code and tests. The CI modification is only temporary before we will have the real package in Fedora or somewhere to use. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Norbert Pocs <npocs@redhat.com>
2026-02-07 10:40:28 +09:00 · 2022-10-31 15:09:26 +01:00
parent 7291f2173c
commit 2539d72b7c
18 changed files with 276 additions and 62 deletions
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -84,7 +84,6 @@

 static int libcrypto_initialized = 0;

-static ENGINE *engine = NULL;

 void ssh_reseed(void){
 #ifndef _WIN32
@@ -94,6 +93,9 @@ void ssh_reseed(void){
 #endif
 }

+#ifndef WITH_PKCS11_PROVIDER
+static ENGINE *engine = NULL;
+
 ENGINE *pki_get_engine(void)
 {
    int ok;
@@ -123,6 +125,7 @@ ENGINE *pki_get_engine(void)
    }
    return engine;
 }
+#endif /* WITH_PKCS11_PROVIDER */

 #ifdef HAVE_OPENSSL_ECC
 static const EVP_MD *nid_to_evpmd(int nid)