@@ -42,6 +42,7 @@
#include "crypto.h"
#include "crypto_backend.h"
#include "openssl_compat.h"
+#include "xkey_common.h"
#include <openssl/conf.h>
#include <openssl/des.h>
@@ -75,6 +76,8 @@ static bool engine_initialized = false; /* GLOBAL */
static ENGINE *engine_persist = NULL; /* GLOBAL */
+static void *xkey_prov;
+
/* Try to load an engine in a shareable library */
static ENGINE *
try_load_engine(const char *engine)
@@ -161,6 +164,15 @@ crypto_init_lib(void)
OPENSSL_config(NULL);
#endif
#endif /* _WIN32 */
+
+#ifdef HAVE_XKEY_PROVIDER
+ if (!xkey_prov)
+ {
+ OSSL_PROVIDER_add_builtin(NULL, "ovpn.xkey", xkey_provider_init);
+ xkey_prov = OSSL_PROVIDER_load(NULL, "ovpn.xkey");
+ }
+#endif
+
/*
* If you build the OpenSSL library and OpenVPN with
* CRYPTO_MDEBUG, you will get a listing of OpenSSL
@@ -190,6 +202,13 @@ crypto_uninit_lib(void)
engine_initialized = false;
}
#endif
+#ifdef HAVE_XKEY_PROVIDER
+ if (xkey_prov)
+ {
+ OSSL_PROVIDER_unload(xkey_prov);
+ }
+#endif
+ xkey_prov = NULL;
}
void
@@ -718,4 +718,16 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)
return 1;
}
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL) */
+
+/** Mimics SSL_CTX_new_ex for OpenSSL < 3 */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+static inline SSL_CTX *
+SSL_CTX_new_ex(void *libctx, const char *propq, const SSL_METHOD *method)
+{
+ (void) libctx;
+ (void) propq;
+ return SSL_CTX_new(method);
+}
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+
#endif /* OPENSSL_COMPAT_H_ */
@@ -45,6 +45,7 @@
#include "ssl_common.h"
#include "base64.h"
#include "openssl_compat.h"
+#include "xkey_common.h"
#ifdef ENABLE_CRYPTOAPI
#include "cryptoapi.h"
@@ -109,7 +110,8 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
{
ASSERT(NULL != ctx);
- ctx->ctx = SSL_CTX_new(SSLv23_server_method());
+ const char *propq = "?" XKEY_PROV_PROPS;
+ ctx->ctx = SSL_CTX_new_ex(NULL, propq, SSLv23_server_method());
if (ctx->ctx == NULL)
{
@@ -127,7 +129,8 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
{
ASSERT(NULL != ctx);
- ctx->ctx = SSL_CTX_new(SSLv23_client_method());
+ const char *propq = "?" XKEY_PROV_PROPS;
+ ctx->ctx = SSL_CTX_new_ex(NULL, propq, SSLv23_client_method());
if (ctx->ctx == NULL)
{