blob: 59e785caac7c6967324a2e89b8597d981db43d06 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
https://bugs.gentoo.org/916328
https://github.com/opendnssec/SoftHSMv2/issues/729
https://github.com/openssl/openssl/issues/22508
https://github.com/openssl/openssl/commit/934943281267259fa928f4a5814b176525461a65
From 934943281267259fa928f4a5814b176525461a65 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 15 Dec 2023 13:45:50 +0100
Subject: [PATCH] Revert "Improved detection of engine-provided private
"classic" keys"
This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
The commit was wrong. With 3.x versions the engines must be themselves
responsible for creating their EVP_PKEYs in a way that they are treated
as legacy - either by using the respective set1 calls or by setting
non-default EVP_PKEY_METHOD.
The workaround has caused more problems than it solved.
Fixes #22945
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23063)
(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
--- a/crypto/engine/eng_pkey.c
+++ b/crypto/engine/eng_pkey.c
@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
return NULL;
}
- /* We enforce check for legacy key */
- switch (EVP_PKEY_get_id(pkey)) {
- case EVP_PKEY_RSA:
- {
- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
- EVP_PKEY_set1_RSA(pkey, rsa);
- RSA_free(rsa);
- }
- break;
-# ifndef OPENSSL_NO_EC
- case EVP_PKEY_SM2:
- case EVP_PKEY_EC:
- {
- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
- EVP_PKEY_set1_EC_KEY(pkey, ec);
- EC_KEY_free(ec);
- }
- break;
-# endif
-# ifndef OPENSSL_NO_DSA
- case EVP_PKEY_DSA:
- {
- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
- EVP_PKEY_set1_DSA(pkey, dsa);
- DSA_free(dsa);
- }
- break;
-#endif
-# ifndef OPENSSL_NO_DH
- case EVP_PKEY_DH:
- {
- DH *dh = EVP_PKEY_get1_DH(pkey);
- EVP_PKEY_set1_DH(pkey, dh);
- DH_free(dh);
- }
- break;
-#endif
- default:
- /*Do nothing */
- break;
- }
-
return pkey;
}
|