From aa01b82c69eeb0cfd255174111fc34a7ed5f8429 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 29 Sep 2016 00:40:20 +0200 Subject: [PATCH] If an engine comes up explicitely, it must also come down explicitely In apps/apps.c, one can set up an engine with setup_engine(). However, we freed the structural reference immediately, which means that for engines that don't already have a structural reference somewhere else (because it has registered at least one cipher or digest algorithm method, and therefore gets a functional reference through the ENGINE_set_default() call), we end up returning an invalid reference. Instead, the function release_engine() is added, and called at the end of the routines that call setup_engine(). Originally, the ENGINE API wasn't designed for this to happen, an engine had to register at least one algorithm method, and was especially expected to register the algorithms corresponding to the key types that could be stored and hidden in hardware. However, it turns out that some engines will not register those algorithms with the ENGINE_set_{algo}, ENGINE_set_cipher or ENGINE_set_digest functions, as they only want the methods to be used for keys, not as general crypto accelerator methods. That may cause ENGINE_set_default() to do nothing, and no functional reference is therefore made, leading to a premature deallocation of the engine and it thereby becoming unavailable when trying to fetch a key. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/1644) --- apps/apps.c | 8 ++++++-- apps/apps.h | 1 + apps/ca.c | 4 ++++ apps/cms.c | 4 ++++ apps/dgst.c | 4 ++++ apps/dhparam.c | 7 ++++++- apps/dsa.c | 4 ++++ apps/dsaparam.c | 7 ++++++- apps/ec.c | 9 ++++++++- apps/ecparam.c | 13 ++++++++++--- apps/enc.c | 7 ++++++- apps/gendsa.c | 7 ++++++- apps/genpkey.c | 5 ++++- apps/genrsa.c | 4 ++++ apps/pkcs12.c | 4 ++++ apps/pkcs7.c | 7 ++++++- apps/pkcs8.c | 4 ++++ apps/pkey.c | 4 ++++ apps/pkeyparam.c | 7 ++++++- apps/pkeyutl.c | 4 ++++ apps/rand.c | 7 ++++++- apps/req.c | 4 ++++ apps/rsa.c | 4 ++++ apps/rsautl.c | 4 ++++ apps/s_client.c | 4 ++++ apps/s_server.c | 4 ++++ apps/smime.c | 4 ++++ apps/speed.c | 9 ++++++++- apps/spkac.c | 4 ++++ apps/srp.c | 7 ++++++- apps/verify.c | 4 ++++ apps/x509.c | 4 ++++ 32 files changed, 157 insertions(+), 16 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index ff17b35820..c9f02163b0 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1564,11 +1564,15 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug) } BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e)); + } + return e; +} +void release_engine(ENGINE *e) +{ + if (e != NULL) /* Free our "structural" reference. */ ENGINE_free(e); - } - return e; } #endif diff --git a/apps/apps.h b/apps/apps.h index c6c3881f31..47af0fa175 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -261,6 +261,7 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); # ifndef OPENSSL_NO_ENGINE ENGINE *setup_engine(BIO *err, const char *engine, int debug); +void release_engine(ENGINE *e); # endif # ifndef OPENSSL_NO_OCSP diff --git a/apps/ca.c b/apps/ca.c index a0ec5838fa..673c641424 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1485,6 +1485,10 @@ int MAIN(int argc, char **argv) X509_CRL_free(crl); NCONF_free(conf); NCONF_free(extconf); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/apps/cms.c b/apps/cms.c index 60479374cd..f62175bc94 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -1170,6 +1170,10 @@ int MAIN(int argc, char **argv) EVP_PKEY_free(key); CMS_ContentInfo_free(cms); CMS_ContentInfo_free(rcms); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free(rctin); BIO_free(in); BIO_free(indata); diff --git a/apps/dgst.c b/apps/dgst.c index 26afcd7b30..3eda7d743b 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -537,6 +537,10 @@ int MAIN(int argc, char **argv) OPENSSL_free(sigbuf); if (bmd != NULL) BIO_free(bmd); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif apps_shutdown(); OPENSSL_EXIT(err); } diff --git a/apps/dhparam.c b/apps/dhparam.c index 57199a8d2a..0ab16e8d2f 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -161,6 +161,7 @@ int MAIN(int argc, char **argv) char *inrand = NULL; # ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; # endif int num = 0, g = 0; @@ -271,7 +272,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (g && !num) @@ -512,6 +513,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dh != NULL) DH_free(dh); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif apps_shutdown(); OPENSSL_EXIT(ret); } diff --git a/apps/dsa.c b/apps/dsa.c index dedf8e174a..6978927e42 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -358,6 +358,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (passin) OPENSSL_free(passin); if (passout) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 824a595c37..a3a0a6ae53 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -123,6 +123,7 @@ int MAIN(int argc, char **argv) int need_rand = 0; # ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; # endif # ifdef GENCB_TEST int timebomb = 0; @@ -264,7 +265,7 @@ int MAIN(int argc, char **argv) } # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (need_rand) { @@ -433,6 +434,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif apps_shutdown(); OPENSSL_EXIT(ret); } diff --git a/apps/ec.c b/apps/ec.c index b04dadaf18..93fb98911c 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -95,6 +95,9 @@ int MAIN(int argc, char **argv) int informat, outformat, text = 0, noout = 0; int pubin = 0, pubout = 0, param_out = 0; char *infile, *outfile, *prog, *engine; +# ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; +# endif char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; @@ -236,7 +239,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { @@ -349,6 +352,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (eckey) EC_KEY_free(eckey); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (passin) OPENSSL_free(passin); if (passout) diff --git a/apps/ecparam.c b/apps/ecparam.c index 71b67f435c..4d57ca4446 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -131,6 +131,9 @@ int MAIN(int argc, char **argv) BIO *in = NULL, *out = NULL; int informat, outformat, noout = 0, C = 0, ret = 1; char *engine = NULL; +# ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; +# endif BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL, *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL; @@ -312,7 +315,7 @@ int MAIN(int argc, char **argv) } # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (list_curves) { @@ -620,12 +623,16 @@ int MAIN(int argc, char **argv) BN_free(ec_cofactor); if (buffer) OPENSSL_free(buffer); + if (group != NULL) + EC_GROUP_free(group); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); - if (group != NULL) - EC_GROUP_free(group); apps_shutdown(); OPENSSL_EXIT(ret); } diff --git a/apps/enc.c b/apps/enc.c index 8e2ef27aca..513f5641b8 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -128,6 +128,7 @@ int MAIN(int argc, char **argv) char pname[PROG_NAME_SIZE + 1]; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; #endif const EVP_MD *dgst = NULL; int non_fips_allow = 0; @@ -323,7 +324,7 @@ int MAIN(int argc, char **argv) } #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { @@ -673,6 +674,10 @@ int MAIN(int argc, char **argv) #ifdef ZLIB if (bzl != NULL) BIO_free(bzl); +#endif +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); #endif if (pass) OPENSSL_free(pass); diff --git a/apps/gendsa.c b/apps/gendsa.c index fd1360acd5..c9cc9c40d2 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -87,6 +87,7 @@ int MAIN(int argc, char **argv) const EVP_CIPHER *enc = NULL; # ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; # endif apps_startup(); @@ -207,7 +208,7 @@ int MAIN(int argc, char **argv) goto end; } # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) { @@ -273,6 +274,10 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (passout) OPENSSL_free(passout); apps_shutdown(); diff --git a/apps/genpkey.c b/apps/genpkey.c index fef21dc7ae..16715cf387 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -275,9 +275,12 @@ int MAIN(int argc, char **argv) if (out) BIO_free_all(out); BIO_free(in); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (pass) OPENSSL_free(pass); - return ret; } diff --git a/apps/genrsa.c b/apps/genrsa.c index 91e6550a57..cd4490c25e 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -314,6 +314,10 @@ int MAIN(int argc, char **argv) RSA_free(rsa); if (out) BIO_free_all(out); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (passout) OPENSSL_free(passout); if (ret != 0) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 4e7de438a7..e38d8b947e 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -755,6 +755,10 @@ int MAIN(int argc, char **argv) app_RAND_write_file(NULL, bio_err); # ifdef CRYPTO_MDEBUG CRYPTO_remove_all_info(); +# endif +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); # endif BIO_free(in); BIO_free_all(out); diff --git a/apps/pkcs7.c b/apps/pkcs7.c index b677633183..a189290a12 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -92,6 +92,7 @@ int MAIN(int argc, char **argv) int ret = 1; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; #endif apps_startup(); @@ -176,7 +177,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif in = BIO_new(BIO_s_file()); @@ -303,6 +304,10 @@ int MAIN(int argc, char **argv) end: if (p7 != NULL) PKCS7_free(p7); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (in != NULL) BIO_free(in); if (out != NULL) diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 5099e18417..1f1de0053d 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -391,6 +391,10 @@ int MAIN(int argc, char **argv) X509_SIG_free(p8); PKCS8_PRIV_KEY_INFO_free(p8inf); EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free_all(out); BIO_free(in); if (passin) diff --git a/apps/pkey.c b/apps/pkey.c index e848049c3a..94853af4c3 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -240,6 +240,10 @@ int MAIN(int argc, char **argv) end: EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free_all(out); BIO_free(in); if (passin) diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c index a148a6621a..6b15065004 100644 --- a/apps/pkeyparam.c +++ b/apps/pkeyparam.c @@ -76,6 +76,7 @@ int MAIN(int argc, char **argv) int badarg = 0; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; + ENGINE *e = NULL; #endif int ret = 1; @@ -135,7 +136,7 @@ int MAIN(int argc, char **argv) return 1; } #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif if (infile) { @@ -178,6 +179,10 @@ int MAIN(int argc, char **argv) end: EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free_all(out); BIO_free(in); diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index e47206c40a..665d72402e 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -357,6 +357,10 @@ int MAIN(int argc, char **argv) end: if (ctx) EVP_PKEY_CTX_free(ctx); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free(in); BIO_free_all(out); if (buf_in != NULL) diff --git a/apps/rand.c b/apps/rand.c index e159da37be..c112531fb9 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -87,6 +87,7 @@ int MAIN(int argc, char **argv) BIO *out = NULL; int num = -1; #ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; char *engine = NULL; #endif @@ -163,7 +164,7 @@ int MAIN(int argc, char **argv) goto err; } #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif app_RAND_load_file(NULL, bio_err, (inrand != NULL)); @@ -222,6 +223,10 @@ int MAIN(int argc, char **argv) err: ERR_print_errors(bio_err); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (out) BIO_free_all(out); apps_shutdown(); diff --git a/apps/req.c b/apps/req.c index d1411c91bb..4b57443ca3 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1040,6 +1040,10 @@ int MAIN(int argc, char **argv) X509_REQ_free(req); X509_free(x509ss); ASN1_INTEGER_free(serial); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (passargin && passin) OPENSSL_free(passin); if (passargout && passout) diff --git a/apps/rsa.c b/apps/rsa.c index e13c14fbc8..bd1ec9ea66 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -419,6 +419,10 @@ int MAIN(int argc, char **argv) } else ret = 0; end: +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif if (out != NULL) BIO_free_all(out); if (rsa != NULL) diff --git a/apps/rsautl.c b/apps/rsautl.c index 5b6f849ea7..1d5557ad9b 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -327,6 +327,10 @@ int MAIN(int argc, char **argv) BIO_write(out, rsa_out, rsa_outlen); end: RSA_free(rsa); +# ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +# endif BIO_free(in); BIO_free_all(out); if (rsa_in) diff --git a/apps/s_client.c b/apps/s_client.c index 41a326fbb8..876689b42a 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -2123,6 +2123,10 @@ int MAIN(int argc, char **argv) OPENSSL_cleanse(mbuf, BUFSIZZ); OPENSSL_free(mbuf); } +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (bio_c_out != NULL) { BIO_free(bio_c_out); bio_c_out = NULL; diff --git a/apps/s_server.c b/apps/s_server.c index 857a70e3e4..9adbea03c8 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2128,6 +2128,10 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_JPAKE if (jpake_secret && psk_key) OPENSSL_free(psk_key); +#endif +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); #endif if (bio_s_out != NULL) { BIO_free(bio_s_out); diff --git a/apps/smime.c b/apps/smime.c index 6044ccf5f5..f1f57aae49 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -736,6 +736,10 @@ int MAIN(int argc, char **argv) X509_free(signer); EVP_PKEY_free(key); PKCS7_free(p7); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif BIO_free(in); BIO_free(indata); BIO_free_all(out); diff --git a/apps/speed.c b/apps/speed.c index b862868eac..0c3d63f736 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -372,6 +372,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +# ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; +#endif unsigned char *buf = NULL, *buf2 = NULL; int mret = 1; long count = 0, save_count = 0; @@ -749,7 +752,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "no engine given\n"); goto end; } - setup_engine(bio_err, *argv, 0); + e = setup_engine(bio_err, *argv, 0); /* * j will be increased again further down. We just don't want * speed to confuse an engine with an algorithm, especially when @@ -2526,6 +2529,10 @@ int MAIN(int argc, char **argv) } # endif +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif apps_shutdown(); OPENSSL_EXIT(mret); } diff --git a/apps/spkac.c b/apps/spkac.c index 8b06ec4d6e..c3792f91c4 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -305,6 +305,10 @@ int MAIN(int argc, char **argv) BIO_free(in); BIO_free_all(out); EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (passin) OPENSSL_free(passin); apps_shutdown(); diff --git a/apps/srp.c b/apps/srp.c index c75052f38d..f10df5f224 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -294,6 +294,7 @@ int MAIN(int argc, char **argv) long errorline = -1; char *randfile = NULL; # ifndef OPENSSL_NO_ENGINE + ENGINE *e = NULL; char *engine = NULL; # endif char *tofree = NULL; @@ -412,7 +413,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); # endif if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { @@ -760,6 +761,10 @@ int MAIN(int argc, char **argv) if (db) free_index(db); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/apps/verify.c b/apps/verify.c index b5ae6b370e..266d07896e 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -255,6 +255,10 @@ int MAIN(int argc, char **argv) sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); sk_X509_CRL_pop_free(crls, X509_CRL_free); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif apps_shutdown(); OPENSSL_EXIT(ret < 0 ? 2 : ret); } diff --git a/apps/x509.c b/apps/x509.c index 17cb62da72..8bf0a7aba0 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1040,6 +1040,10 @@ int MAIN(int argc, char **argv) ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + release_engine(e); +#endif if (passin) OPENSSL_free(passin); apps_shutdown(); -- 2.25.1